CVE-2026-53092 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix linked reg delta tracking when src_reg == dst_reg

Consider the case of rX += rX where src_reg and dst_reg are pointers to
the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first
modifies the dst_reg in-place, and later in the delta tracking, the
subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the
post-{add,sub} value instead of the original source.

This is problematic since it sets an incorrect delta, which sync_linked_regs()
then propagates to linked registers, thus creating a verifier-vs-runtime
mismatch. Fix it by just skipping this corner case.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The bug in the Linux kernel’s BPF subsystem involves incorrect calculation of register deltas when the source and destination registers reference the same state. This leads the verifier to accept BPF programs that are actually unsafe, while the runtime executes them with mismatched register values. The resulting inconsistency can cause memory corruption or altered program behavior and, based on the description, it is inferred that this could allow privilege escalation if an adversary can author a crafted BPF program. The weakness corresponds to CWE‑682, Incorrect Calculation.

Affected Systems

All Linux kernel versions released prior to the commit cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de are affected. The flaw resides in the core kernel BPF verifier and is independent of distribution; any system running the unpatched kernel is vulnerable.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog and the EPSS score is not available, indicating no published exploit at this time. Nevertheless, exploitation would require the ability to load custom BPF programs, typically achievable with local or privileged access. Because the flaw undermines the verification of BPF bytecode, the risk is high for environments that rely heavily on kernel‑side BPF, especially when running in privileged contexts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`98d7ca374ba4b39e7535613d40e159f09ca14da2`	affected	< d88e8e4a3b52bd5b2ff3eceba4b29d1b5506d066
`98d7ca374ba4b39e7535613d40e159f09ca14da2`	affected	< cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de
`98d7ca374ba4b39e7535613d40e159f09ca14da2`	affected	< d7f14173c0d5866c3cae759dee560ad1bed10d2e

Linux

affected

Version	Status	Constraints
`6.11`	affected	—
`0`	unaffected	< 6.11
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a release containing commit cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de or newer.
If an immediate kernel upgrade is not feasible, disable loading of user‑supplied BPF programs or restrict this capability to trusted users until the patch is applied.
Apply vendor‑backported security updates that include the BPF delta tracking fix, if available for your distribution.

Generated by OpenCVE AI on June 24, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de
https://git.kernel.org/stable/c/d7f14173c0d5866c3cae759dee560ad1bed10d2e
https://git.kernel.org/stable/c/d88e8e4a3b52bd5b2ff3eceba4b29d1b5506d066

History

Wed, 24 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-682

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix linked reg delta tracking when src_reg == dst_reg Consider the case of rX += rX where src_reg and dst_reg are pointers to the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first modifies the dst_reg in-place, and later in the delta tracking, the subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the post-{add,sub} value instead of the original source. This is problematic since it sets an incorrect delta, which sync_linked_regs() then propagates to linked registers, thus creating a verifier-vs-runtime mismatch. Fix it by just skipping this corner case.
Title		bpf: Fix linked reg delta tracking when src_reg == dst_reg
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de https://git.kernel.org/stable/c/d7f14173c0d5866c3cae759dee560ad1bed10d2e https://git.kernel.org/stable/c/d88e8e4a3b52bd5b2ff3eceba4b29d1b5506d066

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:31.168Z

Updated: 2026-06-24T16:30:31.168Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53092

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T21:15:16Z

Weaknesses

CWE-682
Incorrect Calculation

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object