Description
In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Fix off-by-one in check_imm signed range check

check_imm(bits, imm) is used in the arm64 BPF JIT to verify that
a branch displacement (in arm64 instruction units) fits into the
signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding
before it is handed to the encoder. The macro currently tests for
(imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits
values in [-2^N, 2^N) — effectively a signed (N+1)-bit range. A
signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check
admits one extra bit of range on each side.

In particular, for check_imm19(), values in [2^18, 2^19) slip past
the check but do not fit into the 19-bit signed imm19 field of
B.cond. aarch64_insn_encode_immediate() then masks the raw value
into the 19-bit field, setting bit 18 (the sign bit) and flipping
a forward branch into a backward one. Same class of issue exists
for check_imm26() and the B/BL encoding. Shift by (bits - 1)
instead of bits so the actual signed N-bit range is enforced.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ARM64 BPF Just‑In‑Time compiler performs a range check on immediate values before encoding them into branch instructions. The current logic incorrectly allows values that exceed the signed N‑bit field, effectively permitting a signed (N+1)-bit range. When an out‑of‑range value passes this check, the encoder masks the sign bit, turning a forward branch into a backward one and corrupting control flow. This can cause incorrect program behavior or data corruption, though it does not directly provide arbitrary code execution.

Affected Systems

All Linux kernel installations on ARM64 devices that include the BPF JIT feature and have not yet incorporated the patch identified by commit 1a113b5497297871699cd498b1b83542e0db7f15 (or later). This encompasses mainstream distributions, custom kernels, and any kernel that has not disabled or removed BPF JIT support.

Risk and Exploitability

The CVSS score is not published, and EPSS is not available, but the lack of a KEV listing indicates limited observed exploitation. The flaw requires the execution of BPF programs on the affected kernel, giving an attacker the ability to influence kernel-side control flow. While it does not immediately lead to privilege escalation or remote code execution, it can cause denial of service or serve as a stepping stone for more complex attacks in environments that run untrusted or complex BPF code. The risk is therefore considered high for such use cases.

Generated by OpenCVE AI on June 24, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the commit fixing the off‑by‑one check_imm logic
  • If a kernel update is infeasible, disable the BPF JIT by setting sysctl bpf_jit_enable=0 or compiling the kernel without BPF JIT support
  • Restrict the ability to load BPF programs to trusted users and verify that immediate values fall within the correct signed range before submission to the kernel

Generated by OpenCVE AI on June 24, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
CWE-20

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix off-by-one in check_imm signed range check check_imm(bits, imm) is used in the arm64 BPF JIT to verify that a branch displacement (in arm64 instruction units) fits into the signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding before it is handed to the encoder. The macro currently tests for (imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits values in [-2^N, 2^N) — effectively a signed (N+1)-bit range. A signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check admits one extra bit of range on each side. In particular, for check_imm19(), values in [2^18, 2^19) slip past the check but do not fit into the 19-bit signed imm19 field of B.cond. aarch64_insn_encode_immediate() then masks the raw value into the 19-bit field, setting bit 18 (the sign bit) and flipping a forward branch into a backward one. Same class of issue exists for check_imm26() and the B/BL encoding. Shift by (bits - 1) instead of bits so the actual signed N-bit range is enforced.
Title bpf, arm64: Fix off-by-one in check_imm signed range check
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:43.449Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53036

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:15:07Z

Weaknesses