CVE-2026-53095
UnknownSummary
A vulnerability in the Linux kernel was identified that allowed the abuse of the kprobe mechanism in conjunction with freplace, enabling modification of the pt_regs structure. This issue occurred when uprobe programs could change register values during kernel function calls.
Risk Assessment
Exploitation of this vulnerability could lead to unpredictable system behavior, including the potential introduction of incorrect data into kernel functions, jeopardizing system stability and security.
Recommendation
It is recommended to update the Linux kernel to a version that includes a fix for this vulnerability to prevent the attachment of freplace programs to kprobe programs with different kprobe_write_ctx values.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix abuse of kprobe_write_ctx via freplace uprobe programs are allowed to modify struct pt_regs. Since the actual program type of uprobe is KPROBE, it can be abused to modify struct pt_regs via kprobe+freplace when the kprobe attaches to kernel functions. For example, SEC("?kprobe") int kprobe(struct pt_regs *regs) { return 0; } SEC("?freplace") int freplace_kprobe(struct pt_regs *regs) { regs->di = 0; return 0; } freplace_kprobe prog will attach to kprobe prog. kprobe prog will attach to a kernel function. Without this patch, when the kernel function runs, its first arg will always be set as 0 via the freplace_kprobe prog. To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow attaching freplace programs on kprobe programs with different kprobe_write_ctx values.

