CVE-2026-43010
Awaiting Analysis Awaiting Analysis - Queue
BPF kprobe_multi Program Sleepable Context Bypass

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject sleepable kprobe_multi programs at attach time kprobe.multi programs run in atomic/RCU context and cannot sleep. However, bpf_kprobe_multi_link_attach() did not validate whether the program being attached had the sleepable flag set, allowing sleepable helpers such as bpf_copy_from_user() to be invoked from a non-sleepable context. This causes a "sleeping function called from invalid context" splat: BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 0 Fix this by rejecting sleepable programs early in bpf_kprobe_multi_link_attach(), before any further processing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43010
EUVD
EUVD-2026-26609
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of bpf kprobe_multi programs. Specifically, kprobe.multi programs run in atomic or RCU context and are not allowed to sleep. However, the function bpf_kprobe_multi_link_attach() did not check if the program being attached was marked as sleepable. This allowed sleepable helpers, such as bpf_copy_from_user(), to be called from a non-sleepable context, which is invalid.

As a result, this causes a kernel error known as a "sleeping function called from invalid context" bug, which can lead to system instability or crashes.

The fix involves rejecting sleepable programs early during the attachment process to prevent this invalid state.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash or become unstable due to the invocation of sleeping functions in contexts where sleeping is not allowed. This can lead to system errors, unexpected behavior, or denial of service conditions on affected systems.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes a kernel BUG triggered by a sleeping function being called from an invalid context. Detection can be done by monitoring kernel logs for the specific error message:

  • Look for the log entry: "BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169"
  • Check kernel logs using commands such as: dmesg | grep 'sleeping function called from invalid context'
  • Monitor for processes triggering this, e.g., the example shows 'pid: 1787, name: sudo'

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by rejecting sleepable kprobe_multi BPF programs at attach time. Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid attaching sleepable BPF kprobe_multi programs until the kernel is updated.
  • Monitor kernel logs for the specific BUG message to detect exploitation attempts.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart