Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45933

Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
24/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Preserve id of register in sync_linked_regs()<br /> <br /> sync_linked_regs() copies the id of known_reg to reg when propagating<br /> bounds of known_reg to reg using the off of known_reg, but when<br /> known_reg was linked to reg like:<br /> <br /> known_reg = reg ; both known_reg and reg get same id<br /> known_reg += 4 ; known_reg gets off = 4, and its id gets BPF_ADD_CONST<br /> <br /> now when a call to sync_linked_regs() happens, let&amp;#39;s say with the following:<br /> <br /> if known_reg &gt;= 10 goto pc+2<br /> <br /> known_reg&amp;#39;s new bounds are propagated to reg but now reg gets<br /> BPF_ADD_CONST from the copy.<br /> <br /> This means if another link to reg is created like:<br /> <br /> another_reg = reg ; another_reg should get the id of reg but<br /> assign_scalar_id_before_mov() sees<br /> BPF_ADD_CONST on reg and assigns a new id to it.<br /> <br /> As reg has a new id now, known_reg&amp;#39;s link to reg is broken. If we find<br /> new bounds for known_reg, they will not be propagated to reg.<br /> <br /> This can be seen in the selftest added in the next commit:<br /> <br /> 0: (85) call bpf_get_prandom_u32#7 ; R0=scalar()<br /> 1: (57) r0 &amp;= 255 ; R0=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br /> 2: (bf) r1 = r0 ; R0=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R1=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br /> 3: (07) r1 += 4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=4,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff))<br /> 4: (a5) if r1

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11 (incluyendo) 6.12.75 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.14 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 6.19.4 (excluyendo)