CVE-2026-43010
Analyzed Analyzed - Analysis Complete
BPF kprobe_multi Program Sleepable Context Bypass

Publication date: 2026-05-01

Last updated on: 2026-05-07

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject sleepable kprobe_multi programs at attach time kprobe.multi programs run in atomic/RCU context and cannot sleep. However, bpf_kprobe_multi_link_attach() did not validate whether the program being attached had the sleepable flag set, allowing sleepable helpers such as bpf_copy_from_user() to be invoked from a non-sleepable context. This causes a "sleeping function called from invalid context" splat: BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 0 Fix this by rejecting sleepable programs early in bpf_kprobe_multi_link_attach(), before any further processing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43010
EUVD
EUVD-2026-26609
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 5.18 (inc) to 6.18.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of bpf kprobe_multi programs. Specifically, kprobe.multi programs run in atomic or RCU context and are not allowed to sleep. However, the function bpf_kprobe_multi_link_attach() did not check if the program being attached was marked as sleepable. This allowed sleepable helpers, such as bpf_copy_from_user(), to be called from a non-sleepable context, which is invalid.

As a result, this causes a kernel error known as a "sleeping function called from invalid context" bug, which can lead to system instability or crashes.

The fix involves rejecting sleepable programs early during the attachment process to prevent this invalid state.

Impact Analysis

This vulnerability can cause the Linux kernel to crash or become unstable due to the invocation of sleeping functions in contexts where sleeping is not allowed. This can lead to system errors, unexpected behavior, or denial of service conditions on affected systems.

Detection Guidance

This vulnerability causes a kernel BUG triggered by a sleeping function being called from an invalid context. Detection can be done by monitoring kernel logs for the specific error message:

  • Look for the log entry: "BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169"
  • Check kernel logs using commands such as: dmesg | grep 'sleeping function called from invalid context'
  • Monitor for processes triggering this, e.g., the example shows 'pid: 1787, name: sudo'
Mitigation Strategies

The vulnerability is fixed by rejecting sleepable kprobe_multi BPF programs at attach time. Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid attaching sleepable BPF kprobe_multi programs until the kernel is updated.
  • Monitor kernel logs for the specific BUG message to detect exploitation attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43010. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart