Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars

When regsafe() compares two scalar registers that both carry
BPF_ADD_CONST, check_scalar_ids() maps their full compound id
(aka base | BPF_ADD_CONST flag) as one idmap entry. However,
it never verifies that the underlying base ids, that is, with
the flag stripped are consistent with existing idmap mappings.

This allows construction of two verifier states where the old
state has R3 = R2 + 10 (both sharing base id A) while the current
state has R3 = R4 + 10 (base id C, unrelated to R2). The idmap
creates two independent entries: A->B (for R2) and A|flag->C|flag
(for R3), without catching that A->C conflicts with A->B. State
pruning then incorrectly succeeds.

Fix this by additionally verifying base ID mapping consistency
whenever BPF_ADD_CONST is set: after mapping the compound ids,
also invoke check_ids() on the base IDs (flag bits stripped).
This ensures that if A was already mapped to B from comparing
the source register, any ADD_CONST derivative must also derive
from B, not an unrelated C.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises because regsafe() mapping fails to validate base ID consistency when BPF_ADD_CONST scalars are compared, which results in two different compiler states being considered equivalent. This oversight allows an attacker to craft a BPF program that passes verification but contains instructions that reference mismatched registers, potentially executing unintended kernel code. This is a logical validation error, effectively an element of CWE‑20 logic.

Affected Systems

The vulnerability affects all Linux kernel versions that include the faulty verifier logic. No specific distribution or kernel release is listed, so any system running a kernel that lacks the patch is potentially impacted. Linux kernel devices that load eBPF programs (network packet filters, tracing tools, etc.) are the most relevant.

Risk and Exploitability

The CVSS score is not provided, and EPSS is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed publicly exploitable instances. Attack requires a process with the ability to load a custom BPF program; therefore the likely vector is a local privileged user or a process with CAP_SYS_ADMIN. An unprivileged user is unlikely to be affected unless the system is misconfigured to allow untrusted BPF loading.

Generated by OpenCVE AI on June 24, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the fix for the regsafe base id consistency bug; refer to the kernel patch referenced in the advisory commits.
  • As a temporary measure, reduce the permissions of users or services that can load eBPF programs; for example, remove CAP_SYS_ADMIN from untrusted services or restrict eBPF loading to the root user only.
  • If an immediate kernel update is not possible, disable the BPF subsystem by setting the kernel module configuration for CONFIG_BPF_SYSCALL to BROKEN or by limiting the BPF syscall to trusted users through policy changes.

Generated by OpenCVE AI on June 24, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars When regsafe() compares two scalar registers that both carry BPF_ADD_CONST, check_scalar_ids() maps their full compound id (aka base | BPF_ADD_CONST flag) as one idmap entry. However, it never verifies that the underlying base ids, that is, with the flag stripped are consistent with existing idmap mappings. This allows construction of two verifier states where the old state has R3 = R2 + 10 (both sharing base id A) while the current state has R3 = R4 + 10 (base id C, unrelated to R2). The idmap creates two independent entries: A->B (for R2) and A|flag->C|flag (for R3), without catching that A->C conflicts with A->B. State pruning then incorrectly succeeds. Fix this by additionally verifying base ID mapping consistency whenever BPF_ADD_CONST is set: after mapping the compound ids, also invoke check_ids() on the base IDs (flag bits stripped). This ensures that if A was already mapped to B from comparing the source register, any ADD_CONST derivative must also derive from B, not an unrelated C.
Title bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:21.959Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53081

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:15:07Z

Weaknesses
  • CWE-20

    Improper Input Validation