CVE-2026-53074 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb

bpf_prog_test_run_skb() calls eth_type_trans() first and then uses
skb->protocol to initialize sk family and address fields for the test
run.

For IPv4 and IPv6 packets, it may access ip_hdr(skb) or ipv6_hdr(skb)
even when the provided test input only contains an Ethernet header.

Reject the input earlier if the Ethernet frame carries IPv4/IPv6
EtherType but the L3 header is too short.

Fold the IPv4/IPv6 header length checks into the existing protocol
switch and return -EINVAL before accessing the network headers.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel test harness for BPF programs, bpf_prog_test_run_skb, erroneously uses the packet's Ethertype to access L3 headers even when the supplied test input contains only an Ethernet header. This can cause an out‑of‑bounds read of the raw socket buffer, potentially leading to a kernel panic and a denial‑of‑service situation, and could be leveraged for privilege escalation if the attacker can run BPF programs.

Affected Systems

All Linux kernel versions that have not yet integrated the commit that rejects short IPv4/IPv6 inputs are affected. The bug is present in the upstream kernel and any distribution using an unpatched kernel should be considered at risk. No specific version range is listed, so the default assumption is any pre‑patch release. The vendor is the Linux kernel maintainers.

Risk and Exploitability

The vulnerability is scored with no EPSS data and is not listed in the CISA KEV catalog, suggesting limited known exploitation. The failure mode is a read past the end of an Ethernet frame, an out‑of‑bounds read that can trigger a kernel fault. Attack vectors are inferred to be local or remote depending on whether an attacker can load and execute BPF programs; the test harness is part of the kernel's BPF subsystem, implying that exploitation requires BPF program execution privileges. The CVSS score is not provided, so the severity assessment must rely on the impact of a kernel panic and the exploitability described above.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fa5cb548ced61b9d3095f32f8a7e427a248c65ee`	affected	< 7254267799d083280c0e53effc101a33add95f7b
`fa5cb548ced61b9d3095f32f8a7e427a248c65ee`	affected	< 6a9f38d5ff11e00bc54baab752642978805e81eb
`fa5cb548ced61b9d3095f32f8a7e427a248c65ee`	affected	< e6aa481f21fc7a41ed344767ea25aae9d03fae71
`fa5cb548ced61b9d3095f32f8a7e427a248c65ee`	affected	< 0a04db240effd85773f66244645a28cedddb72d2
`fa5cb548ced61b9d3095f32f8a7e427a248c65ee`	affected	< 1f882c492d46f90bdb36f4936876c88c28dab21c
`fa5cb548ced61b9d3095f32f8a7e427a248c65ee`	affected	< 8042240412de3222d27b31e89d29336961cad9e4
`fa5cb548ced61b9d3095f32f8a7e427a248c65ee`	affected	< 6def5fe753cbe5b279ee5fd10327b2611cbddaca
`fa5cb548ced61b9d3095f32f8a7e427a248c65ee`	affected	< 12bec2bd4b76d81c5d3996bd14ec1b7f4d983747

Linux

affected

Version	Status	Constraints
`5.9`	affected	—
`0`	unaffected	< 5.9
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to the latest stable release that includes the bpf_prog_test_run_skb patch or apply the upstream patch directly.
If a kernel upgrade is not possible, avoid using the test harness with packets that contain only an Ethernet header when the EtherType indicates IPv4 or IPv6; ensure test inputs include complete L3 headers.
Monitor system logs for kernel panic or oops messages that may indicate exploitation attempts and ensure host integrity monitoring is in place.

Generated by OpenCVE AI on June 24, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0a04db240effd85773f66244645a28cedddb72d2
https://git.kernel.org/stable/c/12bec2bd4b76d81c5d3996bd14ec1b7f4d983747
https://git.kernel.org/stable/c/1f882c492d46f90bdb36f4936876c88c28dab21c
https://git.kernel.org/stable/c/6a9f38d5ff11e00bc54baab752642978805e81eb
https://git.kernel.org/stable/c/6def5fe753cbe5b279ee5fd10327b2611cbddaca
https://git.kernel.org/stable/c/7254267799d083280c0e53effc101a33add95f7b
https://git.kernel.org/stable/c/8042240412de3222d27b31e89d29336961cad9e4
https://git.kernel.org/stable/c/e6aa481f21fc7a41ed344767ea25aae9d03fae71

History

Wed, 24 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb bpf_prog_test_run_skb() calls eth_type_trans() first and then uses skb->protocol to initialize sk family and address fields for the test run. For IPv4 and IPv6 packets, it may access ip_hdr(skb) or ipv6_hdr(skb) even when the provided test input only contains an Ethernet header. Reject the input earlier if the Ethernet frame carries IPv4/IPv6 EtherType but the L3 header is too short. Fold the IPv4/IPv6 header length checks into the existing protocol switch and return -EINVAL before accessing the network headers.
Title		bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0a04db240effd85773f66244645a28cedddb72d2 https://git.kernel.org/stable/c/12bec2bd4b76d81c5d3996bd14ec1b7f4d983747 https://git.kernel.org/stable/c/1f882c492d46f90bdb36f4936876c88c28dab21c https://git.kernel.org/stable/c/6a9f38d5ff11e00bc54baab752642978805e81eb https://git.kernel.org/stable/c/6def5fe753cbe5b279ee5fd10327b2611cbddaca https://git.kernel.org/stable/c/7254267799d083280c0e53effc101a33add95f7b https://git.kernel.org/stable/c/8042240412de3222d27b31e89d29336961cad9e4 https://git.kernel.org/stable/c/e6aa481f21fc7a41ed344767ea25aae9d03fae71

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:15.337Z

Updated: 2026-06-24T16:30:15.337Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53074

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses

CWE-125
Out-of-bounds Read

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object