CVE-2026-53076 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix OOB in pcpu_init_value

An out-of-bounds read occurs when copying element from a
BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the
same value_size that is not rounded up to 8 bytes.

The issue happens when:
1. A CGROUP_STORAGE map is created with value_size not aligned to
8 bytes (e.g., 4 bytes)
2. A pcpu map is created with the same value_size (e.g., 4 bytes)
3. Update element in 2 with data in 1

pcpu_init_value assumes that all sources are rounded up to 8 bytes,
and invokes copy_map_value_long to make a data copy, However, the
assumption doesn't stand since there are some cases where the source
may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data.
the verifier verifies exactly the size that the source claims, not
the size rounded up to 8 bytes by kernel, an OOB happens when the
source has only 4 bytes while the copy size(4) is rounded up to 8.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An out‑of‑bounds read occurs in the Linux kernel when a BPF map of type CGROUP_STORAGE with a value size not rounded to 8 bytes is copied into a per‑CPU map of the same size. The kernel routine pcpu_init_value assumes source values are 8‑byte aligned and copies 8 bytes, causing a read beyond the source buffer. This allows an attacker to read unintended kernel memory, potentially exposing sensitive information or destabilizing the kernel.

Affected Systems

All Linux kernel releases that expose the BPF interface for CGROUP_STORAGE and per‑CPU maps before the patch are affected. The vulnerability is present in kernel commits prior to the fix referenced by the provided commit URLs, which include stable releases up to at least the 6.x series.

Risk and Exploitability

The CVSS score is not provided; EPSS is unavailable, and the issue is not listed in CISA KEV. However, the nature of the out‑of‑bounds read suggests a high risk of information disclosure. The attack requires the ability to create and manipulate BPF maps, typically available to a user with limited privileges. Once the specific map combination exists, an OOB read occurs during copy_map_value_long, and there are no mitigations other than applying the patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< e19c5ed9f1922a6854073f8651a63fa7be26e9e9
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< e0378419b0e20178b5d100b27c9cc7e51064202e
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< 6086079e6d1c32ba4c4b422612b8aebb1129a96c
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< 634a793d0e1c822412095d25a1338f8831ad894c
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< 576afddfee8d1108ee299bf10f581593540d1a36
`c602ad2b52dcbca5af08e5137bd5575c039b52e3`	affected	—
`ab68b940dd6f7b5f8e2557937162dcb8a0583a05`	affected	—
`5.4.78`	affected	< 5.5
`5.9.9`	affected	< 5.10

Linux

affected

Version	Status	Constraints
`5.10`	affected	—
`0`	unaffected	< 5.10
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that incorporates the fix referenced by commit 576afddfe8d1108ee299bf10f581593540d1a36.
Rebuild any custom kernel modules that use BPF to ensure they link against the updated kernel.
If a kernel update is not yet available, restrict BPF map creation or disable the use of per‑CPU maps until the patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/576afddfee8d1108ee299bf10f581593540d1a36
https://git.kernel.org/stable/c/6086079e6d1c32ba4c4b422612b8aebb1129a96c
https://git.kernel.org/stable/c/634a793d0e1c822412095d25a1338f8831ad894c
https://git.kernel.org/stable/c/e0378419b0e20178b5d100b27c9cc7e51064202e
https://git.kernel.org/stable/c/e19c5ed9f1922a6854073f8651a63fa7be26e9e9

History

Wed, 24 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-22

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix OOB in pcpu_init_value An out-of-bounds read occurs when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the same value_size that is not rounded up to 8 bytes. The issue happens when: 1. A CGROUP_STORAGE map is created with value_size not aligned to 8 bytes (e.g., 4 bytes) 2. A pcpu map is created with the same value_size (e.g., 4 bytes) 3. Update element in 2 with data in 1 pcpu_init_value assumes that all sources are rounded up to 8 bytes, and invokes copy_map_value_long to make a data copy, However, the assumption doesn't stand since there are some cases where the source may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data. the verifier verifies exactly the size that the source claims, not the size rounded up to 8 bytes by kernel, an OOB happens when the source has only 4 bytes while the copy size(4) is rounded up to 8.
Title		bpf: Fix OOB in pcpu_init_value
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/576afddfee8d1108ee299bf10f581593540d1a36 https://git.kernel.org/stable/c/6086079e6d1c32ba4c4b422612b8aebb1129a96c https://git.kernel.org/stable/c/634a793d0e1c822412095d25a1338f8831ad894c https://git.kernel.org/stable/c/e0378419b0e20178b5d100b27c9cc7e51064202e https://git.kernel.org/stable/c/e19c5ed9f1922a6854073f8651a63fa7be26e9e9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:17.092Z

Updated: 2026-06-24T16:30:17.092Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53076

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object