HIGH
bpf TCX Detach Bypass
CVE-2026-45932
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
KernelScan AI7.0HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix tcx/netkit detach permissions when prog fd isn't given This commit fixes a security issue where BPF_PROG_DETACH on tcx or netkit devices could be executed by any user when no program fd was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case.
02KernelScan AI Analysis
Risk summary
Unprivileged users can detach BPF programs from tcx/netkit network devices when no program fd is provided, bypassing intended capability checks. This allows unauthorized modification of network traffic control programs, potentially disrupting network policies or enabling traffic manipulation.
Vulnerability analysis
The vulnerability exists in the BPF_PROG_DETACH syscall handler for tcx and netkit devices. When detaching a BPF program without providing a specific program file descriptor, the code failed to verify that the caller has CAP_NET_ADMIN or CAP_SYS_ADMIN capabilities. The fix adds a new bpf_mprog_detach_empty() function that enforces capability checks via bpf_net_capable() for BPF_PROG_TYPE_SCHED_CLS programs when no fd is specified. This prevents unprivileged users from performing bulk detachment operations that could affect network traffic control.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.14 | 4e0772cded10 |
| 6.19 | 6.19.4 | 3f04cc1e5374 |
| mainline | 7.0 | ae23bc81ddf7 |