CVE-2026-43070

Published: Mag 05, 2026 Last Modified: Mag 05, 2026

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reset register ID for BPF_END value tracking

When a register undergoes a BPF_END (byte swap) operation, its scalar
value is mutated in-place. If this register previously shared a scalar ID
with another register (e.g., after an `r1 = r0` assignment), this tie must
be broken.

Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.
Consequently, if a conditional jump checks the swapped register, the
verifier incorrectly propagates the learned bounds to the linked register,
leading to false confidence in the linked register's value and potentially
allowing out-of-bounds memory accesses.

Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case
to break the scalar tie, similar to how BPF_NEG handles it via
`__mark_reg_known`.

https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d403…

https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1

https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8…

https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8

https://git.kernel.org/stable/c/a3125bc01884431d30d73146163…

https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529

CVE-2026-43070

Description

Iscriviti alla newsletter