Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

CO-RE accessor strings are colon-separated indices that describe a path
from a root BTF type to a target field, e.g. "0:1:2" walks through
nested struct members. bpf_core_parse_spec() parses each component with
sscanf("%d"), so negative values like -1 are silently accepted. The
subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the
upper bound and always pass for negative values because C integer
promotion converts the __u16 btf_vlen result to int, making the
comparison (int)(-1) >= (int)(N) false for any positive N.

When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,
producing an out-of-bounds read far past the members array. A crafted
BPF program with a negative CO-RE accessor on any struct that exists in
vmlinux BTF (e.g. task_struct) crashes the kernel deterministically
during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y
(default on major distributions). The bug is reachable with CAP_BPF:

BUG: unable to handle page fault for address: ffffed11818b6626
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)
RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)
RAX: 00000000ffffffff
Call Trace:
<TASK>
bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)
bpf_core_apply (kernel/bpf/btf.c:9507)
check_core_relo (kernel/bpf/verifier.c:19475)
bpf_check (kernel/bpf/verifier.c:26031)
bpf_prog_load (kernel/bpf/syscall.c:3089)
__sys_bpf (kernel/bpf/syscall.c:6228)
</TASK>

CO-RE accessor indices are inherently non-negative (struct member index,
array element index, or enumerator index), so reject them immediately
after parsing.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

bpf_core_parse_spec() in the Linux kernel incorrectly accepts negative values in CO‑RE accessor strings because the sscanf("%d") conversion silently permits them and the subsequent bounds checks only guard the upper limit. A negative index is treated as an unsigned value far beyond the bounds of the target array, causing an out‑of‑bounds read inside btf_member_bit_offset(). The kernel OOPS occurs during BPF program load, resulting in a deterministic crash whenever a user with CAP_BPF supplies a BPF program that contains a negative CO‑RE index on any struct present in the BTF data.

Affected Systems

As the vulnerability is in the generic Linux kernel, all distributions that ship a kernel with CONFIG_DEBUG_INFO_BTF=y (the default on most modern releases) are affected. The bug can be triggered on any kernel version prior to the fix, regardless of specific release series, as long as the kernel contains the unpatched bpf_core_parse_spec function.

Risk and Exploitability

The bug requires a program that makes a BPF syscall with CAP_BPF, so an attacker needs privileged capabilities or must compromise a process that runs as root. This makes the attack surface limited to privileged users, but many observability or networking tools load BPF programs at start‑up, so accidental or intentional exploitation is possible. The severity is high because the kernel crashes, yet EPSS data is currently unavailable and the vulnerability is not listed in the CISA KEV catalog. A patched kernel or a mitigation that removes the offending BPF program will prevent the crash.

Generated by OpenCVE AI on May 27, 2026 at 11:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that incorporates the patch rejecting negative CO‑RE accessor indices (commit 1c22483a2c4bbf747787f328392ca3e68619c4dc).
  • Restrict or remove BPF programs that run with CAP_BPF from untrusted sources or from privileged containers to reduce the attack surface.
  • If an immediate kernel upgrade is not possible, modify the BPF programs to avoid negative CO‑RE indices or avoid loading BPF programs that rely on CO‑RE on systems with CONFIG_DEBUG_INFO_BTF enabled.

Generated by OpenCVE AI on May 27, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129
CWE-20

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. "0:1:2" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf("%d"), so negative values like -1 are silently accepted. The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N. When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array. A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions). The bug is reachable with CAP_BPF: BUG: unable to handle page fault for address: ffffed11818b6626 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full) RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354) RAX: 00000000ffffffff Call Trace: <TASK> bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321) bpf_core_apply (kernel/bpf/btf.c:9507) check_core_relo (kernel/bpf/verifier.c:19475) bpf_check (kernel/bpf/verifier.c:26031) bpf_prog_load (kernel/bpf/syscall.c:3089) __sys_bpf (kernel/bpf/syscall.c:6228) </TASK> CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.
Title bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T09:24:37.855Z

Reserved: 2026-05-13T15:03:33.077Z

Link: CVE-2026-45839

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:23.247

Modified: 2026-05-27T11:16:23.247

Link: CVE-2026-45839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:45:15Z

Weaknesses

No weakness.