CVE-2026-43070

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an `r1 = r0` assignment), this tie must be broken. Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses. Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via `__mark_reg_known`.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (Stable versions prior to commits 0d15c36, a17443a, a3125bc)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * Conceptual PoC for BPF_END verifier flaw
 * This eBPF assembly snippet demonstrates the incorrect ID tracking.
 */

// 1. Load a map value pointer into r0
r0 = map_value_lookup(map_fd, index)

// 2. Assign r0 to r1. Now r0 and r1 share the same scalar ID.
r1 = r0

// 3. Perform BPF_END (byte swap) on r1.
// The value in r1 changes, but the verifier fails to reset r1's ID.
// The link between r0 and r1 incorrectly persists.
r1 = be64 r1

// 4. Conditional jump based on the swapped value r1.
// The verifier derives new bounds for r1.
if r1 > 0x100 goto safe_label

// 5. Unsafe path (Verifier incorrectly thinks r0 is bounded here).
// Due to the lingering ID link, the verifier thinks r0 is also small.
// Attacker can use r0 to access out-of-bounds memory.
r2 = *(u64 *)(r0 + 0x1000) 

safe_label:
exit();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43070
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43070
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43070/
[4] VulDB https://vuldb.com/cve/CVE-2026-43070
[5] https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1
[6] https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8
[7] https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43070", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-05T16:16:16.320", "lastModified": "2026-05-08T13:16:37.750", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reset register ID for BPF_END value tracking\n\nWhen a register undergoes a BPF_END (byte swap) operation, its scalar\nvalue is mutated in-place. If this register previously shared a scalar ID\nwith another register (e.g., after an `r1 = r0` assignment), this tie must\nbe broken.\n\nCurrently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.\nConsequently, if a conditional jump checks the swapped register, the\nverifier incorrectly propagates the learned bounds to the linked register,\nleading to false confidence in the linked register's value and potentially\nallowing out-of-bounds memory accesses.\n\nFix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case\nto break the scalar tie, similar to how BPF_NEG handles it via\n`__mark_reg_known`."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}