CVE-2026-53036
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix off-by-one in check_imm signed range check check_imm(bits, imm) is used in the arm64 BPF JIT to verify that a branch displacement (in arm64 instruction units) fits into the signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding before it is handed to the encoder. The macro currently tests for (imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits values in [-2^N, 2^N) β€” effectively a signed (N+1)-bit range. A signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check admits one extra bit of range on each side. In particular, for check_imm19(), values in [2^18, 2^19) slip past the check but do not fit into the 19-bit signed imm19 field of B.cond. aarch64_insn_encode_immediate() then masks the raw value into the 19-bit field, setting bit 18 (the sign bit) and flipping a forward branch into a backward one. Same class of issue exists for check_imm26() and the B/BL encoding. Shift by (bits - 1) instead of bits so the actual signed N-bit range is enforced.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53036
EUVD
EUVD-2026-38904
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an off-by-one error in the Linux kernel's arm64 BPF JIT compiler related to the check_imm function, which verifies if a branch displacement fits into a signed N-bit immediate field in certain ARM64 instructions.

The check_imm macro incorrectly allows values in the range [-2^N, 2^N), which is effectively a signed (N+1)-bit range, instead of the correct signed N-bit range of [-2^(N-1), 2^(N-1)).

As a result, some values slip past the check but do not actually fit into the intended immediate field size, causing the encoding function to mask the value incorrectly. This can flip a forward branch into a backward one, potentially causing incorrect program behavior.

Impact Analysis

This vulnerability can cause incorrect encoding of branch instructions in the arm64 BPF JIT compiler, which may lead to unexpected control flow changes such as flipping a forward branch into a backward branch.

Such incorrect behavior could potentially lead to instability, crashes, or unintended execution paths within the kernel or programs using BPF JIT on arm64 architectures.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53036. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart