Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix abuse of kprobe_write_ctx via freplace

uprobe programs are allowed to modify struct pt_regs.

Since the actual program type of uprobe is KPROBE, it can be abused to
modify struct pt_regs via kprobe+freplace when the kprobe attaches to
kernel functions.

For example,

SEC("?kprobe")
int kprobe(struct pt_regs *regs)
{
return 0;
}

SEC("?freplace")
int freplace_kprobe(struct pt_regs *regs)
{
regs->di = 0;
return 0;
}

freplace_kprobe prog will attach to kprobe prog.
kprobe prog will attach to a kernel function.

Without this patch, when the kernel function runs, its first arg will
always be set as 0 via the freplace_kprobe prog.

To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
attaching freplace programs on kprobe programs with different
kprobe_write_ctx values.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s BPF subsystem, where uprobe programs that are allowed to write to the BPF program context (kprobe_write_ctx) can be abused by a freplace program. A freplace BPF program can change values in the kernel register structure (struct pt_regs). Because the kernel function invoked through kprobe will use the modified registers, attackers can force the first argument of any kernel function to a value of their choosing, including zero. This allows manipulation of kernel function arguments and potentially arbitrary kernel‑mode code execution or privilege escalation.

Affected Systems

The affected product is the Linux kernel across all vendors that ship Linux. No specific kernel version range is listed, indicating the issue exists wherever this combination of kprobe and freplace BPF functionality is present.

Risk and Exploitability

Exploit probability data is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, but the impact is severe because the flaw enables modification of kernel execution context. The attack vector is inferred to be local; it requires the ability to load BPF programs, which typically requires root or CAP_SYS_ADMIN privileges. Once an attacker can load a malicious BPF freplace program that targets a kprobe, they can alter kernel registers and potentially gain kernel-level privilege escalation. The patch removes the ability to bind freplace programs to kprobe programs with mismatched kprobe_write_ctx values, thereby eliminating the abused code path.

Generated by OpenCVE AI on June 24, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel release that includes the patch from commit 611fe4b7... and the associated fixes
  • If an immediate kernel upgrade is not feasible, ensure that only privileged users can load BPF programs and enforce that kprobe_write_ctx is disabled for BPF programs that are not required
  • Audit and review existing BPF programs for unnecessary use of kprobe or freplace and remove or replace those that modify pt_regs

Generated by OpenCVE AI on June 24, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix abuse of kprobe_write_ctx via freplace uprobe programs are allowed to modify struct pt_regs. Since the actual program type of uprobe is KPROBE, it can be abused to modify struct pt_regs via kprobe+freplace when the kprobe attaches to kernel functions. For example, SEC("?kprobe") int kprobe(struct pt_regs *regs) { return 0; } SEC("?freplace") int freplace_kprobe(struct pt_regs *regs) { regs->di = 0; return 0; } freplace_kprobe prog will attach to kprobe prog. kprobe prog will attach to a kernel function. Without this patch, when the kernel function runs, its first arg will always be set as 0 via the freplace_kprobe prog. To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow attaching freplace programs on kprobe programs with different kprobe_write_ctx values.
Title bpf: Fix abuse of kprobe_write_ctx via freplace
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:33.684Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53095

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:00:10Z

Weaknesses