CVE-2026-43070
Awaiting Analysis Awaiting Analysis - Queue
BPF Register ID Reset Flaw in Linux Kernel

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an `r1 = r0` assignment), this tie must be broken. Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses. Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via `__mark_reg_known`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-05-05
EPSS Evaluated
N/A
NVD
CVE-2026-43070
EUVD
EUVD-2026-27373
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) verifier related to the BPF_END operation, which performs a byte swap on a register's scalar value.

When a register undergoes a BPF_END operation, its scalar value is changed in place. If this register previously shared a scalar ID with another register (for example, after an assignment like r1 = r0), this connection should be broken.

However, the verifier fails to reset the register's ID to zero after the BPF_END operation. As a result, if a conditional jump checks the swapped register, the verifier incorrectly propagates the bounds it learned to the linked register, causing false confidence in the linked register's value.

This can potentially allow out-of-bounds memory accesses, which is a security risk.

The fix involves explicitly resetting the register's ID to zero during the BPF_END case to break the scalar tie, similar to how the BPF_NEG operation handles it.


How can this vulnerability impact me? :

This vulnerability can lead to out-of-bounds memory accesses in the Linux kernel's BPF subsystem.

Such out-of-bounds accesses may allow attackers to read or write memory locations they should not have access to, potentially leading to system crashes, data corruption, or privilege escalation.

Therefore, systems running vulnerable versions of the Linux kernel could be at risk of exploitation through crafted BPF programs.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by resetting the register ID for BPF_END value tracking to prevent incorrect propagation of bounds and potential out-of-bounds memory accesses.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart