CVE Catalog

CVE-2026-53092

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

A vulnerability was found in the Linux kernel's BPF mechanism related to incorrect delta tracking of registers when the source and destination registers are the same. In the adjust_reg_min_max_vals() function, in-place modification of the register before reading the source value leads to an incorrect delta, which is propagated to linked registers, causing a verifier-vs-runtime mismatch.

Risk Assessment

The vulnerability could allow a local attacker with privileges to create BPF programs to bypass kernel security mechanisms, potentially leading to privilege escalation or system integrity compromise.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit 1a2b3c4d5e6f). If an update is not possible, restrict access to BPF program creation to trusted users only.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix linked reg delta tracking when src_reg == dst_reg Consider the case of rX += rX where src_reg and dst_reg are pointers to the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first modifies the dst_reg in-place, and later in the delta tracking, the subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the post-{add,sub} value instead of the original source. This is problematic since it sets an incorrect delta, which sync_linked_regs() then propagates to linked registers, thus creating a verifier-vs-runtime mismatch. Fix it by just skipping this corner case.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS