CVE-2026-53081
Received Received - Intake
BPF Verifier Base ID Consistency Flaw in Linux Kernel

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars When regsafe() compares two scalar registers that both carry BPF_ADD_CONST, check_scalar_ids() maps their full compound id (aka base | BPF_ADD_CONST flag) as one idmap entry. However, it never verifies that the underlying base ids, that is, with the flag stripped are consistent with existing idmap mappings. This allows construction of two verifier states where the old state has R3 = R2 + 10 (both sharing base id A) while the current state has R3 = R4 + 10 (base id C, unrelated to R2). The idmap creates two independent entries: A->B (for R2) and A|flag->C|flag (for R3), without catching that A->C conflicts with A->B. State pruning then incorrectly succeeds. Fix this by additionally verifying base ID mapping consistency whenever BPF_ADD_CONST is set: after mapping the compound ids, also invoke check_ids() on the base IDs (flag bits stripped). This ensures that if A was already mapped to B from comparing the source register, any ADD_CONST derivative must also derive from B, not an unrelated C.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53081
EUVD
EUVD-2026-38949
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) verifier related to how it handles scalar registers with the BPF_ADD_CONST flag. The issue arises because the verifier's regsafe() function does not properly verify the consistency of the underlying base IDs when comparing two scalar registers that both carry the BPF_ADD_CONST flag.

Specifically, the verifier can create two different verifier states where one register is derived from another with a constant added, but the base IDs of these registers are inconsistent and unrelated. This inconsistency is not detected due to improper mapping and checking of these base IDs, allowing state pruning to incorrectly succeed.

The fix involves adding an additional verification step to ensure that if a base ID was already mapped from one register, any derivative with the BPF_ADD_CONST flag must also derive from the same mapped base ID, preventing conflicts.

Impact Analysis

This vulnerability can impact the security and reliability of the Linux kernel's BPF subsystem by allowing inconsistent verifier states to exist. This could potentially lead to incorrect verification of BPF programs, which might allow malicious or malformed BPF programs to be accepted and executed.

Such acceptance of invalid BPF programs could be exploited to bypass security checks, cause unexpected behavior, or lead to privilege escalation or denial of service within the kernel.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart