SB2026062564 - Improper input validation in Linux kernel bpf



SB2026062564 - Improper input validation in Linux kernel bpf

Published: June 25, 2026

Security Bulletin ID SB2026062564
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper input validation (CVE-ID: CVE-2026-53092)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass the BPF verifier's safety checks.

The vulnerability exists due to improper input validation in the BPF verifier when processing BPF add or subtract operations where the source and destination register are the same. A local user can load a crafted BPF program to bypass the BPF verifier's safety checks.

The issue stems from incorrect delta tracking for linked registers, which can create a verifier-versus-runtime mismatch.


Remediation

Install update from vendor's website.