CVE-2026-45932 - Vulnerability Details

- bpf: Fix tcx/netkit detach permissions when prog fd isn't given

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix tcx/netkit detach permissions when prog fd isn't given

This commit fixes a security issue where BPF_PROG_DETACH on tcx or
netkit devices could be executed by any user when no program fd was
provided, bypassing permission checks. The fix adds a capability
check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case.

Published: 2026-05-27

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Linux kernel allowed any user to detach BPF programs from tcx or netkit devices using the BPF_PROG_DETACH mechanism when no program file descriptor was supplied. The kernel performed no capability check in this scenario, so an attacker could remove a BPF program controlling networking behavior without possessing CAP_NET_ADMIN or CAP_SYS_ADMIN, potentially altering packet handling or disrupting network services. The weakness is an improper authorization check.

Affected Systems

The vulnerability is present in the Linux kernel shipped by all vendors before the fix commit. No specific version numbers are disclosed, so all kernels lacking the patch are considered affected.

Risk and Exploitability

The vulnerability is a local exploit that can be performed by any user on the system, as indicated by the lack of capability checks when detaching BPF programs without a program FD. The likely attack vector is local user privilege, inferred from the description that the check is only enforced when a program FD is present; otherwise any user can detach. The publicly available CVSS score is 7.3, and the EPSS score is < 1%, indicating a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation to date. Nevertheless, the potential to disrupt network functions or degrade security controls makes the risk moderate.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e420bed025071a623d2720a92bc2245c84757ecb`	affected	< 4e0772cded109c238411f2fac36ac39302758b81
`e420bed025071a623d2720a92bc2245c84757ecb`	affected	< 3f04cc1e5374da4c5e791ae010a06cfea7bacbe6
`e420bed025071a623d2720a92bc2245c84757ecb`	affected	< ae23bc81ddf7c17b663c4ed1b21e35527b0a7131

Linux

affected

Version	Status	Constraints
`6.6`	affected	—
`0`	unaffected	< 6.6
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e420bed025071a623d2720a92bc2245c84757ecb,4e0772cded109c238411f2fac36ac39302758b81)`	affected	code_commit	—
`[e420bed025071a623d2720a92bc2245c84757ecb,3f04cc1e5374da4c5e791ae010a06cfea7bacbe6)`	affected	code_commit	—
`[e420bed025071a623d2720a92bc2245c84757ecb,ae23bc81ddf7c17b663c4ed1b21e35527b0a7131)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.6`	affected	generic	—
`[0,6.6)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch for the tcx/netkit detach permission issue.
If an updated kernel is not yet available, restrict the use of BPF_PROG_DETACH on tcx/netkit devices to users possessing CAP_NET_ADMIN or CAP_SYS_ADMIN, or disable the feature via kernel configuration if possible.
Apply the specific kernel commit (e.g., commit 3f04cc1e5374da4c5e791ae010a06cfea7bacbe6 or later) locally to enforce the capability check before detach operations.

Generated by OpenCVE AI on May 30, 2026 at 13:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00133.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3f04cc1e5374da4c5e791ae010a06cfea7bacbe6
https://git.kernel.org/stable/c/4e0772cded109c238411f2fac36ac39302758b81
https://git.kernel.org/stable/c/ae23bc81ddf7c17b663c4ed1b21e35527b0a7131
https://lore.kernel.org/linux-cve-announce/2026052727-CVE-2026-45932-4fdf@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45932
https://www.cve.org/CVERecord?id=CVE-2026-45932

History

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H'}`

Thu, 28 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Thu, 28 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026052727-CVE-2026-45932-4fdf@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45932 https://www.cve.org/CVERecord?id=CVE-2026-45932
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 27 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix tcx/netkit detach permissions when prog fd isn't given This commit fixes a security issue where BPF_PROG_DETACH on tcx or netkit devices could be executed by any user when no program fd was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case.
Title		bpf: Fix tcx/netkit detach permissions when prog fd isn't given
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3f04cc1e5374da4c5e791ae010a06cfea7bacbe6 https://git.kernel.org/stable/c/4e0772cded109c238411f2fac36ac39302758b81 https://git.kernel.org/stable/c/ae23bc81ddf7c17b663c4ed1b21e35527b0a7131

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:50.353Z

Updated: 2026-05-30T10:45:59.674Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45932

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:09.173

Modified: 2026-06-17T10:52:45.067

Link: CVE-2026-45932

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45932 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses

CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object