Improper input validation in Linux kernel - CVE-2026-53092

 

Improper input validation in Linux kernel - CVE-2026-53092

Published: June 25, 2026


Vulnerability identifier: #VU135215
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-53092
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to bypass the BPF verifier's safety checks.

The vulnerability exists due to improper input validation in the BPF verifier when processing BPF add or subtract operations where the source and destination register are the same. A local user can load a crafted BPF program to bypass the BPF verifier's safety checks.

The issue stems from incorrect delta tracking for linked registers, which can create a verifier-versus-runtime mismatch.


How to mitigate CVE-2026-53092

Install security update from vendor's repository.

Sources