7 matches found
bpf: Fix NULL deref in map_kptr_match_type for scalar regs
...
EUVD-2026-38900
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in mapkptrmatchtype for scalar regs Commit ab6c637ad027 "bpf: Fix a bpfkptrxchg issue with local kptr" refactored mapkptrmatchtype to branch on btfiskernel before checking basetype. A scalar register stored in...
CVE-2026-53081 bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars
In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce regsafe base id consistency for BPFADDCONST scalars When regsafe compares two scalar registers that both carry BPFADDCONST, checkscalarids maps their full compound id aka base | BPFADDCONST flag as one idmap entry...
CVE-2026-53032 bpf: Fix NULL deref in map_kptr_match_type for scalar regs
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in mapkptrmatchtype for scalar regs Commit ab6c637ad027 "bpf: Fix a bpfkptrxchg issue with local kptr" refactored mapkptrmatchtype to branch on btfiskernel before checking basetype. A scalar register stored in...
CVE-2026-53032
The CVE-2026-53032 issue affects the Linux kernel's BPF subsystem, specifically the map_kptr_match_type function. A scalar register stored into a kptr can trigger a NULL dereference when the code branches on btf_is_kernel(reg->btf) before verifying base_type(), since such registers have no BTF...
PT-2026-51926
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A NULL pointer dereference occurs in the map kptr match type function when handling scalar registers. This happens because the function calls btf is kernel before verifying the base type...
CVE-2022-49658
CVE-2022-49658 concerns the Linux kernel’s BPF bounds propagation. The issue stems from insufficient propagation of tnum min/max bounds into register bounds during operations like adjust_scalar_min_max_vals, allowing a register that becomes a constant-like value to leak pointers when it is later ...