Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix NULL deref in map_kptr_match_type for scalar regs

Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local
kptr") refactored map_kptr_match_type() to branch on btf_is_kernel()
before checking base_type(). A scalar register stored into a kptr
slot has no btf, so the btf_is_kernel(reg->btf) call dereferences
NULL.

Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf
access.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a bug in the BPF subsystem that leads to a null pointer dereference when processing a scalar register stored into a kptr slot, causing a kernel panic. This denial‑of‑service condition can abruptly bring down the operating system and affect high‑availability services, but the description does not mention privilege escalation or data exposure.

Affected Systems

The affected product is the Linux kernel. No specific kernel release numbers are provided in the data, so any kernel version containing the unpatched implementation of map_kptr_match_type is potentially impacted. The flaw was addressed in commit ab6c637ad027, which is included in recent kernel releases from major distribution vendors. All distributions that ship standard Linux kernels are thus potentially affected.

Risk and Exploitability

Exploitation requires the ability to load or execute an eBPF program that triggers the faulty path, implying a local or privileged attacker scenario. Because the EPSS score is not available, the likelihood of exploitation is unknown. The CVSS details are not supplied, but a null dereference in kernel space is conventionally considered high severity for denial of service. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 24, 2026 at 19:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel update that includes commit ab6c637ad027 to eliminate the null dereference flaw
  • Restart the system so the updated kernel is in use
  • Restrict the loading of eBPF programs to privileged users; ensure that untrusted processes cannot load eBPF programs or have the CAP_SYS_ADMIN capability removed
  • If eBPF functionality is unnecessary, disable eBPF syscalls by setting CONFIG_BPF_SYSCALL to "n" in the kernel configuration

Generated by OpenCVE AI on June 24, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in map_kptr_match_type for scalar regs Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr") refactored map_kptr_match_type() to branch on btf_is_kernel() before checking base_type(). A scalar register stored into a kptr slot has no btf, so the btf_is_kernel(reg->btf) call dereferences NULL. Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf access.
Title bpf: Fix NULL deref in map_kptr_match_type for scalar regs
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:39.916Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53032

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T23:30:03Z

Weaknesses

No weakness.