7.8
/ 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix linked reg delta tracking when src_reg == dst_reg
Consider the case of rX += rX where src_reg and dst_reg are pointers to
the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first
modifies the dst_reg in-place, and later in the delta tracking, the
subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the
post-{add,sub} value instead of the original source.
This is problematic since it sets an incorrect delta, which sync_linked_regs()
then propagates to linked registers, thus creating a verifier-vs-runtime
mismatch. Fix it by just skipping this corner case.
bpf: Fix linked reg delta tracking when src_reg == dst_reg
Consider the case of rX += rX where src_reg and dst_reg are pointers to
the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first
modifies the dst_reg in-place, and later in the delta tracking, the
subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the
post-{add,sub} value instead of the original source.
This is problematic since it sets an incorrect delta, which sync_linked_regs()
then propagates to linked registers, thus creating a verifier-vs-runtime
mismatch. Fix it by just skipping this corner case.
Basic Information
ID
CVE-2026-53092
Source
Linux
Published
Jun 24, 2026 at 16:30
Modified
Jun 28, 2026 at 06:39
Affected Product
Vendor
Linux
Product
Linux
Version
98d7ca374ba4b39e7535613d40e159f09ca14da2
Affected Versions
Linux Linux 98d7ca374ba4b39e7535613d40e159f09ca14da2
Linux Linux 98d7ca374ba4b39e7535613d40e159f09ca14da2
Linux Linux 98d7ca374ba4b39e7535613d40e159f09ca14da2
Linux Linux 6.11
Linux Linux 98d7ca374ba4b39e7535613d40e159f09ca14da2
Linux Linux 98d7ca374ba4b39e7535613d40e159f09ca14da2
Linux Linux 6.11