Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix OOB in pcpu_init_value

An out-of-bounds read occurs when copying element from a
BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the
same value_size that is not rounded up to 8 bytes.

The issue happens when:
1. A CGROUP_STORAGE map is created with value_size not aligned to
8 bytes (e.g., 4 bytes)
2. A pcpu map is created with the same value_size (e.g., 4 bytes)
3. Update element in 2 with data in 1

pcpu_init_value assumes that all sources are rounded up to 8 bytes,
and invokes copy_map_value_long to make a data copy, However, the
assumption doesn't stand since there are some cases where the source
may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data.
the verifier verifies exactly the size that the source claims, not
the size rounded up to 8 bytes by kernel, an OOB happens when the
source has only 4 bytes while the copy size(4) is rounded up to 8.
Published: 2026-06-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read occurs in the Linux kernel when a BPF map of type CGROUP_STORAGE with a value size not rounded to 8 bytes is copied into a per‑CPU map of the same size. The kernel routine pcpu_init_value assumes source values are 8‑byte aligned and copies 8 bytes, which causes a read beyond the source buffer. This vulnerability allows an attacker to read unintended kernel memory, potentially exposing sensitive information; the description does not indicate that the read could directly lead to kernel execution or a crash, so the primary impact is information disclosure. This is a CWE‑805: Out‑of‑Bounds Read vulnerability.

Affected Systems

Linux kernel versions prior to the commit 576afddfee8d1108ee299bf10f581593540d1a36 are affected. All kernel releases that expose the BPF interface for CGROUP_STORAGE and per‑CPU maps without this patch, which includes stable releases up to at least the 6.x series, are potentially exposed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score of < 1% suggests a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local, with an attacker able to create and manipulate BPF maps; the attacker must first create a CGROUP_STORAGE map with an unaligned value size, then create a matching per‑CPU map and update it with the CGROUP_STORAGE data. An out‑of‑bounds read will then expose adjacent kernel memory. No mitigations exist other than applying the patch or restricting the creation of such map combinations.

Generated by OpenCVE AI on June 28, 2026 at 14:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the commit 576afddfee8d1108ee299bf10f581593540d1a36, which fixes the out‑of‑bounds read (CWE‑805).
  • Rebuild any custom kernel modules that depend on BPF to ensure they link against the updated kernel and avoid the CWE‑805 issue.
  • If a kernel update is not yet possible, limit the creation of BPF CGROUP_STORAGE maps with value sizes not aligned to 8 bytes and avoid using matching per‑CPU maps until the patch is applied, thereby neutralizing the vulnerability temporarily (addressing the CWE‑805 vulnerability).

Generated by OpenCVE AI on June 28, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}


Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-22

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-22

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix OOB in pcpu_init_value An out-of-bounds read occurs when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the same value_size that is not rounded up to 8 bytes. The issue happens when: 1. A CGROUP_STORAGE map is created with value_size not aligned to 8 bytes (e.g., 4 bytes) 2. A pcpu map is created with the same value_size (e.g., 4 bytes) 3. Update element in 2 with data in 1 pcpu_init_value assumes that all sources are rounded up to 8 bytes, and invokes copy_map_value_long to make a data copy, However, the assumption doesn't stand since there are some cases where the source may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data. the verifier verifies exactly the size that the source claims, not the size rounded up to 8 bytes by kernel, an OOB happens when the source has only 4 bytes while the copy size(4) is rounded up to 8.
Title bpf: Fix OOB in pcpu_init_value
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:01.404Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53076

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53076 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses
  • CWE-805

    Buffer Access with Incorrect Length Value