CVE-2026-45839
Awaiting Analysis Awaiting Analysis - Queue
Out-of-Bounds Read in Linux Kernel BPF CO-RE Accessor

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. "0:1:2" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf("%d"), so negative values like -1 are silently accepted. The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N. When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array. A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions). The bug is reachable with CAP_BPF: BUG: unable to handle page fault for address: ffffed11818b6626 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full) RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354) RAX: 00000000ffffffff Call Trace: <TASK> bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321) bpf_core_apply (kernel/bpf/btf.c:9507) check_core_relo (kernel/bpf/verifier.c:19475) bpf_check (kernel/bpf/verifier.c:26031) bpf_prog_load (kernel/bpf/syscall.c:3089) __sys_bpf (kernel/bpf/syscall.c:6228) </TASK> CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45839
EUVD
EUVD-2026-32165
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 7.0.0-rc6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability causes a kernel crash when a crafted BPF program with a negative CO-RE accessor is loaded on a system with CONFIG_DEBUG_INFO_BTF=y enabled. Detection involves monitoring for kernel crashes or Oops messages related to bpf_core_parse_spec or BPF_PROG_LOAD failures.

You can check your kernel logs (e.g., using dmesg or journalctl) for messages indicating a page fault or Oops related to bpf_core_parse_spec or BPF verifier failures.

  • dmesg | grep -i 'bpf_core_parse_spec'
  • journalctl -k | grep -i 'bpf_core_parse_spec'
  • journalctl -k | grep -i 'BPF_PROG_LOAD'

Additionally, monitoring for unexpected kernel crashes or Oops messages after loading BPF programs can indicate exploitation attempts.

Mitigation Strategies

The immediate mitigation is to prevent loading of BPF programs that use negative CO-RE accessor indices, which are inherently invalid.

Since the vulnerability is triggered by crafted BPF programs and requires CAP_BPF capability, restricting untrusted users from loading BPF programs is critical.

  • Limit CAP_BPF capability to trusted users only.
  • Apply kernel updates or patches that reject negative CO-RE accessor indices in bpf_core_parse_spec() as soon as they become available.

If an update is not immediately available, consider disabling or restricting BPF program loading temporarily to avoid exploitation.

Executive Summary

This vulnerability exists in the Linux kernel's handling of BPF CO-RE accessor indices. CO-RE accessor strings describe a path to a target field in kernel data structures using colon-separated indices. The function bpf_core_parse_spec() parses these indices but incorrectly accepts negative values like -1.

Because the bounds checks only verify the upper bound and not the lower bound, negative indices bypass these checks. When a negative index is used, it is cast to a large unsigned integer, causing an out-of-bounds read far beyond the intended array.

A crafted BPF program using a negative CO-RE accessor on any struct present in the kernel's BTF data can cause a deterministic kernel crash during BPF program loading on systems with CONFIG_DEBUG_INFO_BTF enabled.

Impact Analysis

This vulnerability can cause a denial of service by crashing the Linux kernel when a malicious BPF program with a negative CO-RE accessor index is loaded.

Since the crash occurs deterministically during BPF_PROG_LOAD, an attacker with CAP_BPF capability can exploit this to disrupt system availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart