bpf: Fix same-register dst/src OOB read and pointer leak in...

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops

When a BPF sock_ops program accesses ctx fields with dst_reg == src_reg,
the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the
destination register in the !fullsock / !locked_tcp_sock path.

Both macros borrow a temporary register to check is_fullsock /
is_locked_tcp_sock when dst_reg == src_reg, because dst_reg holds the
ctx pointer. When the check is false (e.g., TCP_NEW_SYN_RECV state with
a request_sock), dst_reg should be zeroed but is not, leaving the stale
ctx pointer:

- SOCK_OPS_GET_SK: dst_reg retains the ctx pointer, passes NULL checks
as PTR_TO_SOCKET_OR_NULL, and can be used as a bogus socket pointer,
leading to stack-out-of-bounds access in helpers like
bpf_skc_to_tcp6_sock().

- SOCK_OPS_GET_FIELD: dst_reg retains the ctx pointer which the
verifier believes is a SCALAR_VALUE, leaking a kernel pointer.

Fix both macros by:
- Changing JMP_A(1) to JMP_A(2) in the fullsock path to skip the
added instruction.
- Adding BPF_MOV64_IMM(si->dst_reg, 0) after the temp register
restore in the !fullsock path, placed after the restore because
dst_reg == src_reg means we need src_reg intact to read ctx->temp.

Basic Information

ID CVE-2026-53078

Source Linux

Published Jun 24, 2026 at 16:30

Modified Jun 28, 2026 at 06:39

Affected Product

Vendor Linux

Product Linux

Version fd09af010788a884de1c39537c288830c3d305db

Affected Versions Linux Linux fd09af010788a884de1c39537c288830c3d305db
Linux Linux fd09af010788a884de1c39537c288830c3d305db
Linux Linux 48be3df15aa19c04eadf156c9129293c9a10389f
Linux Linux cd4644d904e1d153d516e73e2e127e7a2fe687e1
Linux Linux 6e0bc946cbeec538322820786b5fb5200a2216ab
Linux Linux a7e52f7f675046d9ffc5692d815fa67c82fcdbf5
Linux Linux db7f8c57dbdd31f7e59f8dc8d1e1b38607a320ef
Linux Linux 5.7.18
Linux Linux 5.8.4
Linux Linux 5.4.61
Linux Linux 5.9

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix same-register dst/src OOB read and pointer leak in sock_ops\n\nWhen a BPF sock_ops program accesses ctx fields with dst_reg == src_reg,\nthe SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the\ndestination register in the !fullsock / !locked_tcp_sock path.\n\nBoth macros borrow a temporary register to check is_fullsock /\nis_locked_tcp_sock when dst_reg == src_reg, because dst_reg holds the\nctx pointer. When the check is false (e.g., TCP_NEW_SYN_RECV state with\na request_sock), dst_reg should be zeroed but is not, leaving the stale\nctx pointer:\n\n - SOCK_OPS_GET_SK: dst_reg retains the ctx pointer, passes NULL checks\n   as PTR_TO_SOCKET_OR_NULL, and can be used as a bogus socket pointer,\n   leading to stack-out-of-bounds access in helpers like\n   bpf_skc_to_tcp6_sock().\n\n - SOCK_OPS_GET_FIELD: dst_reg retains the ctx pointer which the\n   verifier believes is a SCALAR_VALUE, leaking a kernel pointer.\n\nFix both macros by:\n - Changing JMP_A(1) to JMP_A(2) in the fullsock path to skip the\n   added instruction.\n - Adding BPF_MOV64_IMM(si->dst_reg, 0) after the temp register\n   restore in the !fullsock path, placed after the restore because\n   dst_reg == src_reg means we need src_reg intact to read ctx->temp.",
    "published": "2026-06-24T16:30:18.858Z",
    "modified": "2026-06-28T06:39:04.474Z",
    "type": "cve",
    "title": "bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/18e3ffde1822f0b48b1753bf34aa97ce839df1d8\nhttps://git.kernel.org/stable/c/10f86a2a5c91fc4c4d001960f1c21abe52545ef6",
    "id": "CVE-2026-53078",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux fd09af010788a884de1c39537c288830c3d305db\nLinux Linux fd09af010788a884de1c39537c288830c3d305db\nLinux Linux 48be3df15aa19c04eadf156c9129293c9a10389f\nLinux Linux cd4644d904e1d153d516e73e2e127e7a2fe687e1\nLinux Linux 6e0bc946cbeec538322820786b5fb5200a2216ab\nLinux Linux a7e52f7f675046d9ffc5692d815fa67c82fcdbf5\nLinux Linux db7f8c57dbdd31f7e59f8dc8d1e1b38607a320ef\nLinux Linux 5.7.18\nLinux Linux 5.8.4\nLinux Linux 5.4.61\nLinux Linux 5.9",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "fd09af010788a884de1c39537c288830c3d305db",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops_CVE-2026-53078

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply