CVE-2026-43070

EUVD-2026-27373

05.05.2026, 16:16

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reset register ID for BPF_END value tracking

When a register undergoes a BPF_END (byte swap) operation, its scalar
value is mutated in-place. If this register previously shared a scalar ID
with another register (e.g., after an `r1 = r0` assignment), this tie must
be broken.

Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.
Consequently, if a conditional jump checks the swapped register, the
verifier incorrectly propagates the learned bounds to the linked register,
leading to false confidence in the linked register's value and potentially
allowing out-of-bounds memory accesses.

Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case
to break the scalar tie, similar to how BPF_NEG handles it via
`__mark_reg_known`.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.159-1 fixed
bookworm (security)	6.1.170-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-4 fixed
forky	6.19.14-1 fixed
sid	7.0.4-1 fixed
trixie	6.12.73-1 fixed
trixie (security)	6.12.86-1 fixed

References

https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1

https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8

https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529