CVE-2026-53032
ANALYSIS PENDINGbpf: Fix NULL deref in map_kptr_match_type for scalar regs
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in map_kptr_match_type for scalar regs Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr") refactored map_kptr_match_type() to branch on btf_is_kernel() before checking base_type(). A scalar register stored into a kptr slot has no btf, so the btf_is_kernel(reg->btf) call dereferences NULL. Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf access.
References (5)
Core 5
Core References
Scores
EPSS
0.0017
EPSS Percentile
6.3%
Details
Status
published
Products (20)
linux/Kernel
6.13.0 - 6.18.33linux
linux/Kernel
6.19.0 - 7.0.10linux
linux/Kernel
6.6.0 - 6.6.141linux
linux/Kernel
6.7.0 - 6.12.91linux
Linux/Linux
< 6.6
Linux/Linux
4782968e0d631b0d8944dcfd4bf8fb49be087101
Linux/Linux
6.12.91 - 6.12.*
Linux/Linux
6.18.33 - 6.18.*
Linux/Linux
6.4.16 - 6.5
Linux/Linux
6.5.3 - 6.6
... and 10 more
Published
Jun 24, 2026
Tracked Since
Jun 24, 2026