CVE-2026-45839 (GCVE-0-2026-45839)

Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-05-27 09:24
VLAI
Title
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. "0:1:2" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf("%d"), so negative values like -1 are silently accepted. The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N. When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array. A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions). The bug is reachable with CAP_BPF: BUG: unable to handle page fault for address: ffffed11818b6626 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full) RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354) RAX: 00000000ffffffff Call Trace: <TASK> bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321) bpf_core_apply (kernel/bpf/btf.c:9507) check_core_relo (kernel/bpf/verifier.c:19475) bpf_check (kernel/bpf/verifier.c:26031) bpf_prog_load (kernel/bpf/syscall.c:3089) __sys_bpf (kernel/bpf/syscall.c:6228) </TASK> CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 3ff85ae79e1a74baeb916b78a63d821f6d19a994 (git)
Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a (git)
Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 76f2ebaf79a9ae6d0737b87f045fe769e425d78f (git)
Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2 (git)
Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 1c22483a2c4bbf747787f328392ca3e68619c4dc (git)
Create a notification for this product.
Linux Linux Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 6.6.141 , ≤ 6.6.* (semver)
Unaffected: 6.12.91 , ≤ 6.12.* (semver)
Unaffected: 6.18.33 , ≤ 6.18.* (semver)
Unaffected: 7.0.10 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "tools/lib/bpf/relo_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3ff85ae79e1a74baeb916b78a63d821f6d19a994",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "76f2ebaf79a9ae6d0737b87f045fe769e425d78f",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "1c22483a2c4bbf747787f328392ca3e68619c4dc",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "tools/lib/bpf/relo_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()\n\nCO-RE accessor strings are colon-separated indices that describe a path\nfrom a root BTF type to a target field, e.g. \"0:1:2\" walks through\nnested struct members. bpf_core_parse_spec() parses each component with\nsscanf(\"%d\"), so negative values like -1 are silently accepted.  The\nsubsequent bounds checks (access_idx \u003e= btf_vlen(t)) only guard the\nupper bound and always pass for negative values because C integer\npromotion converts the __u16 btf_vlen result to int, making the\ncomparison (int)(-1) \u003e= (int)(N) false for any positive N.\n\nWhen -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,\nproducing an out-of-bounds read far past the members array.  A crafted\nBPF program with a negative CO-RE accessor on any struct that exists in\nvmlinux BTF (e.g. task_struct) crashes the kernel deterministically\nduring BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y\n(default on major distributions).  The bug is reachable with CAP_BPF:\n\n BUG: unable to handle page fault for address: ffffed11818b6626\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: Oops: 0000 [#1] SMP KASAN NOPTI\n CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)\n RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)\n RAX: 00000000ffffffff\n Call Trace:\n  \u003cTASK\u003e\n  bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)\n  bpf_core_apply (kernel/bpf/btf.c:9507)\n  check_core_relo (kernel/bpf/verifier.c:19475)\n  bpf_check (kernel/bpf/verifier.c:26031)\n  bpf_prog_load (kernel/bpf/syscall.c:3089)\n  __sys_bpf (kernel/bpf/syscall.c:6228)\n  \u003c/TASK\u003e\n\nCO-RE accessor indices are inherently non-negative (struct member index,\narray element index, or enumerator index), so reject them immediately\nafter parsing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:24:37.855Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3ff85ae79e1a74baeb916b78a63d821f6d19a994"
        },
        {
          "url": "https://git.kernel.org/stable/c/36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/76f2ebaf79a9ae6d0737b87f045fe769e425d78f"
        },
        {
          "url": "https://git.kernel.org/stable/c/99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc"
        }
      ],
      "title": "bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45839",
    "datePublished": "2026-05-27T09:24:37.855Z",
    "dateReserved": "2026-05-13T15:03:33.077Z",
    "dateUpdated": "2026-05-27T09:24:37.855Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45839",
      "date": "2026-05-27",
      "epss": "0.00015",
      "percentile": "0.03531"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45839\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T11:16:23.247\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()\\n\\nCO-RE accessor strings are colon-separated indices that describe a path\\nfrom a root BTF type to a target field, e.g. \\\"0:1:2\\\" walks through\\nnested struct members. bpf_core_parse_spec() parses each component with\\nsscanf(\\\"%d\\\"), so negative values like -1 are silently accepted.  The\\nsubsequent bounds checks (access_idx \u003e= btf_vlen(t)) only guard the\\nupper bound and always pass for negative values because C integer\\npromotion converts the __u16 btf_vlen result to int, making the\\ncomparison (int)(-1) \u003e= (int)(N) false for any positive N.\\n\\nWhen -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,\\nproducing an out-of-bounds read far past the members array.  A crafted\\nBPF program with a negative CO-RE accessor on any struct that exists in\\nvmlinux BTF (e.g. task_struct) crashes the kernel deterministically\\nduring BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y\\n(default on major distributions).  The bug is reachable with CAP_BPF:\\n\\n BUG: unable to handle page fault for address: ffffed11818b6626\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n Oops: Oops: 0000 [#1] SMP KASAN NOPTI\\n CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)\\n RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)\\n RAX: 00000000ffffffff\\n Call Trace:\\n  \u003cTASK\u003e\\n  bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)\\n  bpf_core_apply (kernel/bpf/btf.c:9507)\\n  check_core_relo (kernel/bpf/verifier.c:19475)\\n  bpf_check (kernel/bpf/verifier.c:26031)\\n  bpf_prog_load (kernel/bpf/syscall.c:3089)\\n  __sys_bpf (kernel/bpf/syscall.c:6228)\\n  \u003c/TASK\u003e\\n\\nCO-RE accessor indices are inherently non-negative (struct member index,\\narray element index, or enumerator index), so reject them immediately\\nafter parsing.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3ff85ae79e1a74baeb916b78a63d821f6d19a994\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/76f2ebaf79a9ae6d0737b87f045fe769e425d78f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.