CVE-2026-53090 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix ld_{abs,ind} failure path analysis in subprogs

Usage of ld_{abs,ind} instructions got extended into subprogs some time
ago via commit 09b28d76eac4 ("bpf: Add abnormal return checks."). These
are only allowed in subprograms when the latter are BTF annotated and
have scalar return types.

The code generator in bpf_gen_ld_abs() has an abnormal exit path (r0=0 +
exit) from legacy cBPF times. While the enforcement is on scalar return
types, the verifier must also simulate the path of abnormal exit if the
packet data load via ld_{abs,ind} failed.

This is currently not the case. Fix it by having the verifier simulate
both success and failure paths, and extend it in similar ways as we do
for tail calls. The success path (r0=unknown, continue to next insn) is
pushed onto stack for later validation and the r0=0 and return to the
caller is done on the fall-through side.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the verifier for eBPF programs incorrectly handles failure paths for the ld_abs and ld_ind instructions within subprograms. When these load operations fail, the verifier no longer simulates the erroneous exit path, potentially allowing malicious BPF code to slip through verification and access or modify memory that should be protected. This flaw represents a failure to handle an error condition correctly and could lead to kernel memory corruption or privilege escalation if an attacker is able to inject a crafted BPF program.

Affected Systems

Any Linux kernel instance running a version prior to the commit that introduced the fix (the patch referenced in the advisory) is susceptible. Because no specific version range is listed, all older kernel releases may be affected until the update is applied.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so no active known exploits have been reported. However, the nature of the flaw suggests that an attacker who can load eBPF programs—such as a privileged user or a compromised application that can invoke bpf system calls—could potentially craft a subprogram that exploits the missing error path simulation to bypass security checks and gain kernel-level access. The exact likelihood of exploitation depends on the attacker's ability to inject BPF code; no public exploit code is known at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`09b28d76eac48e922dc293da1aa2b2b85c32aeee`	affected	< d846d83bdacbd8f14fc45c63b8c1d22608452e1c
`09b28d76eac48e922dc293da1aa2b2b85c32aeee`	affected	< ee861486e377edc55361c08dcbceab3f6b6577bd

Linux

affected

Version	Status	Constraints
`5.10`	affected	—
`0`	unaffected	< 5.10
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the fix commit for the BPF verifier.
If an upgrade is not immediately possible, restrict BPF program loading to the most trusted users and closely monitor system logs for abnormal BPF activity.
Apply a temporary kernel configuration that disables eBPF subprogram support until a patched kernel can be deployed.

Generated by OpenCVE AI on June 24, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/d846d83bdacbd8f14fc45c63b8c1d22608452e1c
https://git.kernel.org/stable/c/ee861486e377edc55361c08dcbceab3f6b6577bd

History

Wed, 24 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-390

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix ld_{abs,ind} failure path analysis in subprogs Usage of ld_{abs,ind} instructions got extended into subprogs some time ago via commit 09b28d76eac4 ("bpf: Add abnormal return checks."). These are only allowed in subprograms when the latter are BTF annotated and have scalar return types. The code generator in bpf_gen_ld_abs() has an abnormal exit path (r0=0 + exit) from legacy cBPF times. While the enforcement is on scalar return types, the verifier must also simulate the path of abnormal exit if the packet data load via ld_{abs,ind} failed. This is currently not the case. Fix it by having the verifier simulate both success and failure paths, and extend it in similar ways as we do for tail calls. The success path (r0=unknown, continue to next insn) is pushed onto stack for later validation and the r0=0 and return to the caller is done on the fall-through side.
Title		bpf: Fix ld_{abs,ind} failure path analysis in subprogs
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/d846d83bdacbd8f14fc45c63b8c1d22608452e1c https://git.kernel.org/stable/c/ee861486e377edc55361c08dcbceab3f6b6577bd

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:29.413Z

Updated: 2026-06-24T16:30:29.413Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53090

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T20:15:07Z

Weaknesses

CWE-390
Detection of Error Condition Without Action

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object