CVE-2026-53031

EUVD-2026-38899
In the Linux kernel, the following vulnerability has been resolved:

bpf: Validate node_id in arena_alloc_pages()

arena_alloc_pages() accepts a plain int node_id and forwards it through
the entire allocation chain without any bounds checking.

Validate node_id before passing it down the allocation chain in
arena_alloc_pages().
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.257-1
fixed
forky
7.0.12-2
fixed
sid
7.0.13-1
fixed
trixie
vulnerable
trixie (security)
6.12.94-1
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/2845989f2ebaf7848e4eccf9a779daf3156ea0a5
https://git.kernel.org/stable/c/31d3b4b28e55835646d6829d60023f730dd34e85
https://git.kernel.org/stable/c/e15900888c09480a4c632bc598f1c5bd39bed6d6
https://git.kernel.org/stable/c/fb66e20130f95a93ffea1677252526a9e39170b2