HIGH
bpf Verifier Bypass
CVE-2026-43070
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.6HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an `r1 = r0` assignment), this tie must be broken. Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses. Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via `__mark_reg_known`.
02KernelScan AI Analysis
Risk summary
The BPF verifier incorrectly tracks register relationships after byte swap operations, allowing crafted BPF programs to bypass bounds checking. This can lead to arbitrary kernel memory access, potentially enabling container escape or privilege escalation. Systems running untrusted BPF code or multi-tenant environments are at highest risk.
Vulnerability analysis
The root cause is in the scalar_byte_swap function where the verifier fails to reset dst_reg->id to 0 after BPF_END operations that mutate register values. When registers share scalar IDs (indicating same values), this tie must be broken when one register is mutated. The missing ID reset allows incorrect bounds propagation from conditional checks, leading to verifier bypass. The fix explicitly resets the register ID when mutations occur, breaking the scalar relationship and preventing false confidence in linked register bounds.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.21 | a17443af8742 |
| 6.19 | 6.19.11 | 0d15c3611a2c |