CVE-2026-45933
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
24/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bpf: Preserve id of register in sync_linked_regs()<br />
<br />
sync_linked_regs() copies the id of known_reg to reg when propagating<br />
bounds of known_reg to reg using the off of known_reg, but when<br />
known_reg was linked to reg like:<br />
<br />
known_reg = reg ; both known_reg and reg get same id<br />
known_reg += 4 ; known_reg gets off = 4, and its id gets BPF_ADD_CONST<br />
<br />
now when a call to sync_linked_regs() happens, let&#39;s say with the following:<br />
<br />
if known_reg >= 10 goto pc+2<br />
<br />
known_reg&#39;s new bounds are propagated to reg but now reg gets<br />
BPF_ADD_CONST from the copy.<br />
<br />
This means if another link to reg is created like:<br />
<br />
another_reg = reg ; another_reg should get the id of reg but<br />
assign_scalar_id_before_mov() sees<br />
BPF_ADD_CONST on reg and assigns a new id to it.<br />
<br />
As reg has a new id now, known_reg&#39;s link to reg is broken. If we find<br />
new bounds for known_reg, they will not be propagated to reg.<br />
<br />
This can be seen in the selftest added in the next commit:<br />
<br />
0: (85) call bpf_get_prandom_u32#7 ; R0=scalar()<br />
1: (57) r0 &= 255 ; R0=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br />
2: (bf) r1 = r0 ; R0=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R1=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br />
3: (07) r1 += 4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=4,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff))<br />
4: (a5) if r1
Impacto
Puntuación base 3.x
7.80
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11 (incluyendo) | 6.12.75 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



