CVE-2026-53095

ANALYSIS PENDING

bpf: Fix abuse of kprobe_write_ctx via freplace

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix abuse of kprobe_write_ctx via freplace uprobe programs are allowed to modify struct pt_regs. Since the actual program type of uprobe is KPROBE, it can be abused to modify struct pt_regs via kprobe+freplace when the kprobe attaches to kernel functions. For example, SEC("?kprobe") int kprobe(struct pt_regs *regs) { return 0; } SEC("?freplace") int freplace_kprobe(struct pt_regs *regs) { regs->di = 0; return 0; } freplace_kprobe prog will attach to kprobe prog. kprobe prog will attach to a kernel function. Without this patch, when the kernel function runs, its first arg will always be set as 0 via the freplace_kprobe prog. To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow attaching freplace programs on kprobe programs with different kprobe_write_ctx values.

Scores

EPSS 0.0017
EPSS Percentile 6.1%

Details

Status published
Products (10)
linux/Kernel 6.18.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
Linux/Linux < 6.18
Linux/Linux 6.18
Linux/Linux 6.18.33 - 6.18.*
Linux/Linux 7.0.10 - 7.0.*
Linux/Linux 7.1
Linux/Linux 7384893d970ea114952aef54ad7e3d7d2ca82d4f - 611fe4b79af72d00d80f2223354284447daafae9
Linux/Linux 7384893d970ea114952aef54ad7e3d7d2ca82d4f - 9836cadbd96c7e0dbb0018fa60e7872dd31ac4f8
Linux/Linux 7384893d970ea114952aef54ad7e3d7d2ca82d4f - b312cf41b9e43f442613053f6cad39898e1baf96
Published Jun 24, 2026
Tracked Since Jun 24, 2026