CVE-2026-53032

ANALYSIS PENDING

bpf: Fix NULL deref in map_kptr_match_type for scalar regs

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in map_kptr_match_type for scalar regs Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr") refactored map_kptr_match_type() to branch on btf_is_kernel() before checking base_type(). A scalar register stored into a kptr slot has no btf, so the btf_is_kernel(reg->btf) call dereferences NULL. Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf access.

Scores

EPSS 0.0017
EPSS Percentile 6.3%

Details

Status published
Products (20)
linux/Kernel 6.13.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
linux/Kernel 6.6.0 - 6.6.141linux
linux/Kernel 6.7.0 - 6.12.91linux
Linux/Linux < 6.6
Linux/Linux 4782968e0d631b0d8944dcfd4bf8fb49be087101
Linux/Linux 6.12.91 - 6.12.*
Linux/Linux 6.18.33 - 6.18.*
Linux/Linux 6.4.16 - 6.5
Linux/Linux 6.5.3 - 6.6
... and 10 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026