Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars

When regsafe() compares two scalar registers that both carry
BPF_ADD_CONST, check_scalar_ids() maps their full compound id
(aka base | BPF_ADD_CONST flag) as one idmap entry. However,
it never verifies that the underlying base ids, that is, with
the flag stripped are consistent with existing idmap mappings.

This allows construction of two verifier states where the old
state has R3 = R2 + 10 (both sharing base id A) while the current
state has R3 = R4 + 10 (base id C, unrelated to R2). The idmap
creates two independent entries: A->B (for R2) and A|flag->C|flag
(for R3), without catching that A->C conflicts with A->B. State
pruning then incorrectly succeeds.

Fix this by additionally verifying base ID mapping consistency
whenever BPF_ADD_CONST is set: after mapping the compound ids,
also invoke check_ids() on the base IDs (flag bits stripped).
This ensures that if A was already mapped to B from comparing
the source register, any ADD_CONST derivative must also derive
from B, not an unrelated C.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel when BPF_ADD_CONST scalars are compared, allowing the verifier to the construction of BPF programs that pass verification while internally referencing mismatched registers, which may cause unintended kernel behavior. The description does not confirm a specific privilege escalation or crash, but a malicious program could potentially exploit the incorrect state pruning to influence kernel execution in a way that is not intended. The impact is a logic flaw that could be leveraged to influence BPF program validation rather than traditional exploits such as code injection.

Affected Systems

All Linux kernel BPF verifier instances potentially affected. The vulnerability is not tied to a specific distribution release or kernel running an unpatched Linux kernel and capable of loading eBPF programs may be impacted. The flaw is relevant to any subsystem that uses the BPF verifier, such as network packet filtering, tracing, or custom eBPF tools.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, but the EPSS score of < 1% shows a very low predicted exploitation probability at this time. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploit usage. Attackers would need the ability to load custom BPF programs, which typically requires root or the CAP_SYS_ADMIN capability. A non‑privileged user is unlikely to be able to exploit this flaw unless the system grants BPF loading permissions to untrusted contexts. The likely attack vector is local privileged or specially permitted processes that can inject BPF code.

Generated by OpenCVE AI on June 28, 2026 at 13:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains the fix for regsafe base‑id consistency; the commit referenced in the advisory provides the necessary patch.
  • If an immediate kernel upgrade is not possible, limit the set of users or services that can load eBPF programs by removing CAP_SYS_ADMIN from untrusted processes or by restricting eBPF loading to the root user only.
  • As a temporary containment, disable the BPF subsystem by setting CONFIG_BPF_SYSCALL to BROKEN in the kernel configuration or by applying a restrictive syscall filter that blocks the BPF syscall for untrusted users.

Generated by OpenCVE AI on June 28, 2026 at 13:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Sat, 27 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-386
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars When regsafe() compares two scalar registers that both carry BPF_ADD_CONST, check_scalar_ids() maps their full compound id (aka base | BPF_ADD_CONST flag) as one idmap entry. However, it never verifies that the underlying base ids, that is, with the flag stripped are consistent with existing idmap mappings. This allows construction of two verifier states where the old state has R3 = R2 + 10 (both sharing base id A) while the current state has R3 = R4 + 10 (base id C, unrelated to R2). The idmap creates two independent entries: A->B (for R2) and A|flag->C|flag (for R3), without catching that A->C conflicts with A->B. State pruning then incorrectly succeeds. Fix this by additionally verifying base ID mapping consistency whenever BPF_ADD_CONST is set: after mapping the compound ids, also invoke check_ids() on the base IDs (flag bits stripped). This ensures that if A was already mapped to B from comparing the source register, any ADD_CONST derivative must also derive from B, not an unrelated C.
Title bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:45:06.204Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53081

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53081 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-386

    Symbolic Name not Mapping to Correct Object