CVE-2026-53095
Received Received - Intake
Privilege Escalation in Linux Kernel via BPF kprobe-freplace

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix abuse of kprobe_write_ctx via freplace uprobe programs are allowed to modify struct pt_regs. Since the actual program type of uprobe is KPROBE, it can be abused to modify struct pt_regs via kprobe+freplace when the kprobe attaches to kernel functions. For example, SEC("?kprobe") int kprobe(struct pt_regs *regs) { return 0; } SEC("?freplace") int freplace_kprobe(struct pt_regs *regs) { regs->di = 0; return 0; } freplace_kprobe prog will attach to kprobe prog. kprobe prog will attach to a kernel function. Without this patch, when the kernel function runs, its first arg will always be set as 0 via the freplace_kprobe prog. To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow attaching freplace programs on kprobe programs with different kprobe_write_ctx values.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53095
EUVD
EUVD-2026-38963
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel related to the eBPF subsystem, specifically involving uprobe and kprobe program types.

Uprobe programs are allowed to modify the struct pt_regs, which holds CPU register state. Since uprobe's actual program type is KPROBE, it can be abused to modify struct pt_regs via a combination of kprobe and freplace programs when the kprobe attaches to kernel functions.

An attacker can create a freplace program that attaches to a kprobe program and modifies the first argument of a kernel function by setting it to zero or another value, effectively changing the behavior of that kernel function.

The vulnerability is fixed by disallowing freplace programs from attaching to kprobe programs if they have different kprobe_write_ctx values, preventing this kind of abuse.

Impact Analysis

This vulnerability allows an attacker to manipulate the arguments passed to kernel functions by modifying CPU register state through eBPF programs.

Such manipulation can lead to unexpected or malicious behavior in the kernel, potentially causing system instability, privilege escalation, or bypassing security checks.

Because kernel functions rely on their arguments to operate correctly, altering these arguments can undermine the integrity and security of the system.

Mitigation Strategies

The vulnerability is fixed by disallowing attaching freplace programs on kprobe programs with different kprobe_write_ctx values.

Therefore, the immediate mitigation step is to update the Linux kernel to a version that includes this patch.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart