CVE-2026-53078
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops When a BPF sock_ops program accesses ctx fields with dst_reg == src_reg, the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the destination register in the !fullsock / !locked_tcp_sock path. Both macros borrow a temporary register to check is_fullsock / is_locked_tcp_sock when dst_reg == src_reg, because dst_reg holds the ctx pointer. When the check is false (e.g., TCP_NEW_SYN_RECV state with a request_sock), dst_reg should be zeroed but is not, leaving the stale ctx pointer: - SOCK_OPS_GET_SK: dst_reg retains the ctx pointer, passes NULL checks as PTR_TO_SOCKET_OR_NULL, and can be used as a bogus socket pointer, leading to stack-out-of-bounds access in helpers like bpf_skc_to_tcp6_sock(). - SOCK_OPS_GET_FIELD: dst_reg retains the ctx pointer which the verifier believes is a SCALAR_VALUE, leaking a kernel pointer. Fix both macros by: - Changing JMP_A(1) to JMP_A(2) in the fullsock path to skip the added instruction. - Adding BPF_MOV64_IMM(si->dst_reg, 0) after the temp register restore in the !fullsock path, placed after the restore because dst_reg == src_reg means we need src_reg intact to read ctx->temp.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53078
EUVD
EUVD-2026-38946
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF sock_ops program when it accesses context fields using the same destination and source register (dst_reg == src_reg). The macros SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() fail to zero out the destination register in certain code paths, leaving a stale context pointer in the register.

Specifically, when the macros borrow a temporary register to check certain socket states, if the check fails, the destination register should be zeroed but is not. This results in the destination register retaining a stale pointer.

This stale pointer can lead to two issues: SOCK_OPS_GET_SK may treat the stale pointer as a valid socket pointer, causing stack out-of-bounds access in helper functions; SOCK_OPS_GET_FIELD may leak a kernel pointer because the verifier treats the stale pointer as a scalar value.

Impact Analysis

The vulnerability can lead to memory safety issues in the Linux kernel, including stack out-of-bounds access and kernel pointer leaks.

An attacker exploiting this could potentially cause kernel crashes or gain information about kernel memory layout through pointer leaks, which could be leveraged for further attacks.

Mitigation Strategies

The vulnerability is fixed in the Linux kernel by correcting the BPF sock_ops program macros SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() to properly zero the destination register when dst_reg equals src_reg.

Immediate mitigation steps include updating your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53078. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart