HIGH
bpf Verifier Bypass
CVE-2026-43321
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Properly mark live registers for indirect jumps For a `gotox rX` instruction the rX register should be marked as used in the compute_insn_live_regs() function. Fix this.
02KernelScan AI Analysis
Risk summary
The BPF verifier fails to properly track register liveness for indirect jump instructions, potentially allowing crafted BPF programs to bypass verification. This could enable arbitrary kernel memory access and container escape in systems where BPF program loading is accessible to attackers.
Vulnerability analysis
The root cause is missing register liveness tracking in compute_insn_live_regs() for indirect jump instructions (gotox rX). The verifier incorrectly handles BPF_JA instructions when BPF_SRC indicates an indirect jump, failing to mark the target register as used. The fix adds proper handling to mark the destination register as live when processing indirect jumps. Attack surface is local, requiring BPF program loading capabilities, but most distributions limit this to privileged users or disable unprivileged BPF entirely.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.6 | 7beae54111c3 |
| mainline | 7.0 | d1aab1ca576c |