CVE-2026-53032

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix NULL deref in map_kptr_match_type for scalar regs

Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr") refactored map_kptr_match_type() to branch on btf_is_kernel() before checking base_type(). A scalar register stored into a kptr slot has no btf, so the btf_is_kernel(reg->btf) call dereferences NULL.

Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf access.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxab6c637ad0276e42f8acabcbc64932a6d346dab3 < 520454e839710c327808c2fcc98e28cee77355fcaffected
LinuxLinuxab6c637ad0276e42f8acabcbc64932a6d346dab3 < 0a36c1f72888bca0237295a4da19cd91821a90beaffected
LinuxLinuxab6c637ad0276e42f8acabcbc64932a6d346dab3 < 6982653ce5f119982aa58f1af58e7bfbebf39252affected
LinuxLinuxab6c637ad0276e42f8acabcbc64932a6d346dab3 < da1d615ce49a47986a8864e2371a26e97861085caffected
LinuxLinuxab6c637ad0276e42f8acabcbc64932a6d346dab3 < 4d0a375887ab4d49e4da1ff10f9606cab8f7c3adaffected
LinuxLinuxaf3d2e0f3a54e67806959d161e613457772babc5affected
LinuxLinux4782968e0d631b0d8944dcfd4bf8fb49be087101affected
LinuxLinux6.4.16 < 6.5affected
LinuxLinux6.5.3 < 6.6affected
LinuxLinux6.6affected
LinuxLinux0 < 6.6unaffected
LinuxLinux6.6.141 <= 6.6.*unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References