CVE-2026-45933
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
24/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bpf: Preserve id of register in sync_linked_regs()<br />
<br />
sync_linked_regs() copies the id of known_reg to reg when propagating<br />
bounds of known_reg to reg using the off of known_reg, but when<br />
known_reg was linked to reg like:<br />
<br />
known_reg = reg ; both known_reg and reg get same id<br />
known_reg += 4 ; known_reg gets off = 4, and its id gets BPF_ADD_CONST<br />
<br />
now when a call to sync_linked_regs() happens, let&#39;s say with the following:<br />
<br />
if known_reg >= 10 goto pc+2<br />
<br />
known_reg&#39;s new bounds are propagated to reg but now reg gets<br />
BPF_ADD_CONST from the copy.<br />
<br />
This means if another link to reg is created like:<br />
<br />
another_reg = reg ; another_reg should get the id of reg but<br />
assign_scalar_id_before_mov() sees<br />
BPF_ADD_CONST on reg and assigns a new id to it.<br />
<br />
As reg has a new id now, known_reg&#39;s link to reg is broken. If we find<br />
new bounds for known_reg, they will not be propagated to reg.<br />
<br />
This can be seen in the selftest added in the next commit:<br />
<br />
0: (85) call bpf_get_prandom_u32#7 ; R0=scalar()<br />
1: (57) r0 &= 255 ; R0=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br />
2: (bf) r1 = r0 ; R0=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R1=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br />
3: (07) r1 += 4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=4,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff))<br />
4: (a5) if r1
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11 (including) | 6.12.75 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



