Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix abuse of kprobe_write_ctx via freplace

uprobe programs are allowed to modify struct pt_regs.

Since the actual program type of uprobe is KPROBE, it can be abused to
modify struct pt_regs via kprobe+freplace when the kprobe attaches to
kernel functions.

For example,

SEC("?kprobe")
int kprobe(struct pt_regs *regs)
{
return 0;
}

SEC("?freplace")
int freplace_kprobe(struct pt_regs *regs)
{
regs->di = 0;
return 0;
}

freplace_kprobe prog will attach to kprobe prog.
kprobe prog will attach to a kernel function.

Without this patch, when the kernel function runs, its first arg will
always be set as 0 via the freplace_kprobe prog.

To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
attaching freplace programs on kprobe programs with different
kprobe_write_ctx values.
Published: 2026-06-24
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel, where uprobe programs that are allowed to write to the BPF program context (kprobe_write_ctx) can be abused through a freplace BPF program. A freplace program can alter values in the kernel register structure (struct pt_regs). When a kernel function is invoked via a kprobe, the modified registers are used, allowing an attacker to force the first argument of any kernel function to a value of their choosing, including zero. This manipulation can lead to arbitrary kernel‑mode escalation. The weakness is identified as CWE‑94, indicating a format‑string or code injection type flaw in kernel BPF handling.

Affected Systems

The affected product is the Linux kernel across all vendors that ship Linux. No specific kernel version range is listed, indicating the issue exists wherever this combination of kprobe and freplace BPF functionality is present.

Risk and Exploitability

The EPSS score of 0.00166 suggests a very low probability of exploitation; the vulnerability is not listed in the CISA KEV catalog, yet its CVSS of 7.0 highlights significant impact. Attacking this flaw would require local access with the ability to load BPF programs, typically requiring root or CAP_SYS_ADMIN privileges. The attack vector is inferred to be local; an attacker can attach a freplace BPF program to a kprobe and manipulate kernel registers so that the first argument of any kernel function is forced to an attacker‑chosen value, potentially leading to arbitrary kernel‑mode escalation. The patch eliminates this attack path by disallowing freplace programs on kprobe programs with mismatched kprobe_write_ctx values.

Generated by OpenCVE AI on June 25, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel release that includes the patch from commit 611fe4b7... and the associated fixes
  • If an immediate kernel upgrade is not feasible, ensure that only privileged users can load BPF programs and enforce that kprobe_write_ctx is disabled for BPF programs that are not required
  • Audit and programs for unnecessary use of kprobe or freplace and remove or replace those that modify pt_regs

Generated by OpenCVE AI on June 25, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Thu, 25 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix abuse of kprobe_write_ctx via freplace uprobe programs are allowed to modify struct pt_regs. Since the actual program type of uprobe is KPROBE, it can be abused to modify struct pt_regs via kprobe+freplace when the kprobe attaches to kernel functions. For example, SEC("?kprobe") int kprobe(struct pt_regs *regs) { return 0; } SEC("?freplace") int freplace_kprobe(struct pt_regs *regs) { regs->di = 0; return 0; } freplace_kprobe prog will attach to kprobe prog. kprobe prog will attach to a kernel function. Without this patch, when the kernel function runs, its first arg will always be set as 0 via the freplace_kprobe prog. To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow attaching freplace programs on kprobe programs with different kprobe_write_ctx values.
Title bpf: Fix abuse of kprobe_write_ctx via freplace
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:33.684Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53095

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53095 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:30:15Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')