Linux Kernel BPF Delta Tracking Bypass Fix
CVE-2026-53092 Published on June 24, 2026
bpf: Fix linked reg delta tracking when src_reg == dst_reg
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix linked reg delta tracking when src_reg == dst_reg
Consider the case of rX += rX where src_reg and dst_reg are pointers to
the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first
modifies the dst_reg in-place, and later in the delta tracking, the
subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the
post-{add,sub} value instead of the original source.
This is problematic since it sets an incorrect delta, which sync_linked_regs()
then propagates to linked registers, thus creating a verifier-vs-runtime
mismatch. Fix it by just skipping this corner case.
Vulnerability Analysis
CVE-2026-53092 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Return of Wrong Status Code
A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result. This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not.
Products Associated with CVE-2026-53092
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Red Hat Enterprise Linux (RHEL). Just hit a watch button to start following.
Affected Versions
Linux:- Version 98d7ca374ba4b39e7535613d40e159f09ca14da2 and below d88e8e4a3b52bd5b2ff3eceba4b29d1b5506d066 is affected.
- Version 98d7ca374ba4b39e7535613d40e159f09ca14da2 and below cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de is affected.
- Version 98d7ca374ba4b39e7535613d40e159f09ca14da2 and below d7f14173c0d5866c3cae759dee560ad1bed10d2e is affected.
- Version 6.11 is affected.
- Before 6.11 is unaffected.
- Version 6.18.33, <= 6.18.* is unaffected.
- Version 7.0.10, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.