HIGH
bpf Verifier Bypass
CVE-2026-43030
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix regsafe() for pointers to packet In case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N regsafe() may return true which may lead to current state with valid packet range not being explored. Fix the bug.
02KernelScan AI Analysis
Risk summary
The BPF verifier incorrectly validates packet pointer ranges, allowing malicious BPF programs to bypass safety checks and potentially access memory beyond packet boundaries. This affects systems that load untrusted BPF programs, including container hosts and multi-tenant environments where unprivileged users can submit BPF code.
Vulnerability analysis
The root cause is in the regsafe() function where the verifier incorrectly considers two register states equivalent when comparing packet pointer ranges. Specifically, when an old register state has range BEYOND_PKT_END (negative value) and the current state has a different range value, regsafe() may return true, causing the verifier to skip exploring valid execution paths. This allows crafted BPF programs to access packet data beyond safe boundaries. The fix adds proper handling for negative range values (BEYOND_PKT_END and AT_PKT_END) by ensuring they are only considered safe if they match exactly, preventing the verifier from incorrectly pruning valid states that need verification.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | b52f6d0ef7b3 |
| 5.15 | 5.15.203 | 37db6b9726d0 |
| 6.1 | 6.1.168 | 015a74476dc1 |
| 6.12 | 6.12.81 | 7241da033fdc |
| 6.18 | 6.18.22 | 8aebe1806939 |
| 6.19 | 6.19.12 | ca995b1462ec |
| 6.6 | 6.6.134 | b99d82706bd1 |
| mainline | 7.0 | a8502a79e832 |