CVE-2026-43070
Analyzed Analyzed - Analysis Complete
BPF Register ID Reset Flaw in Linux Kernel

Publication date: 2026-05-05

Last updated on: 2026-05-29

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an `r1 = r0` assignment), this tie must be broken. Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses. Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via `__mark_reg_known`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43070
EUVD
EUVD-2026-27373
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.18.17 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19.7 (inc) to 6.19.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) verifier related to the BPF_END operation, which performs a byte swap on a register's scalar value.

When a register undergoes a BPF_END operation, its scalar value is changed in place. If this register previously shared a scalar ID with another register (for example, after an assignment like r1 = r0), this connection should be broken.

However, the verifier fails to reset the register's ID to zero after the BPF_END operation. As a result, if a conditional jump checks the swapped register, the verifier incorrectly propagates the bounds it learned to the linked register, causing false confidence in the linked register's value.

This can potentially allow out-of-bounds memory accesses, which is a security risk.

The fix involves explicitly resetting the register's ID to zero during the BPF_END case to break the scalar tie, similar to how the BPF_NEG operation handles it.

Impact Analysis

This vulnerability can lead to out-of-bounds memory accesses in the Linux kernel's BPF subsystem.

Such out-of-bounds accesses may allow attackers to read or write memory locations they should not have access to, potentially leading to system crashes, data corruption, or privilege escalation.

Therefore, systems running vulnerable versions of the Linux kernel could be at risk of exploitation through crafted BPF programs.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by resetting the register ID for BPF_END value tracking to prevent incorrect propagation of bounds and potential out-of-bounds memory accesses.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43070. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart