HIGH
bpf BTF UAF
CVE-2026-45951
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.3HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free of BTF object Refcounting in the check_pseudo_btf_id() function is incorrect: the __check_pseudo_btf_id() function might get called with a zero refcounted btf. Fix this, and patch related code accordingly. v3: rephrase a comment (AI) v2: fix a refcount leak introduced in v1 (AI)
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the BPF verifier's BTF object handling allows local attackers with CAP_BPF capability to cause kernel memory corruption and potential information disclosure. This can lead to privilege escalation, information leak of kernel pointers or slab data, or system crashes in environments where BPF program loading is permitted.
Vulnerability analysis
The vulnerability stems from incorrect reference counting in check_pseudo_btf_id() where __check_pseudo_btf_id() could be called with a zero-refcounted BTF object. The fix restructures the reference counting logic to ensure BTF objects maintain proper reference counts throughout their usage, adding btf_put() calls on all exit paths and using btf_get_by_fd() instead of __btf_get_by_fd() to properly increment reference counts. The attack surface is local, requiring CAP_BPF capability to load BPF programs with BTF pseudo instructions.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.14 | eac65c272f3b |
| 6.19 | 6.19.4 | 9ff46ffeecdb |
| mainline | 7.0 | ccd2d799ed44 |