CVE-2026-53076

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix OOB in pcpu_init_value

An out-of-bounds read occurs when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the same value_size that is not rounded up to 8 bytes.

The issue happens when:

  1. A CGROUP_STORAGE map is created with value_size not aligned to 8 bytes (e.g., 4 bytes)
  2. A pcpu map is created with the same value_size (e.g., 4 bytes)
  3. Update element in 2 with data in 1

pcpu_init_value assumes that all sources are rounded up to 8 bytes, and invokes copy_map_value_long to make a data copy, However, the assumption doesn't stand since there are some cases where the source may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data. the verifier verifies exactly the size that the source claims, not the size rounded up to 8 bytes by kernel, an OOB happens when the source has only 4 bytes while the copy size(4) is rounded up to 8.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxd3bec0138bfbe58606fc1d6f57a4cdc1a20218db < e19c5ed9f1922a6854073f8651a63fa7be26e9e9affected
LinuxLinuxd3bec0138bfbe58606fc1d6f57a4cdc1a20218db < e0378419b0e20178b5d100b27c9cc7e51064202eaffected
LinuxLinuxd3bec0138bfbe58606fc1d6f57a4cdc1a20218db < 6086079e6d1c32ba4c4b422612b8aebb1129a96caffected
LinuxLinuxd3bec0138bfbe58606fc1d6f57a4cdc1a20218db < 634a793d0e1c822412095d25a1338f8831ad894caffected
LinuxLinuxd3bec0138bfbe58606fc1d6f57a4cdc1a20218db < 576afddfee8d1108ee299bf10f581593540d1a36affected
LinuxLinuxc602ad2b52dcbca5af08e5137bd5575c039b52e3affected
LinuxLinuxab68b940dd6f7b5f8e2557937162dcb8a0583a05affected
LinuxLinux5.4.78 < 5.5affected
LinuxLinux5.9.9 < 5.10affected
LinuxLinux5.10affected
LinuxLinux0 < 5.10unaffected
LinuxLinux6.6.141 <= 6.6.*unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References