CVE-2026-43070

Source
https://cve.org/CVERecord?id=CVE-2026-43070
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43070.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43070
Downstream
Published
2026-05-05T15:23:28.819Z
Modified
2026-07-08T08:13:30.277192517Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
bpf: Reset register ID for BPF_END value tracking
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reset register ID for BPF_END value tracking

When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an r1 = r0 assignment), this tie must be broken.

Currently, the verifier misses resetting dst_reg->id to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses.

Fix this by explicitly resetting dst_reg->id to 0 in the BPFEND case to break the scalar tie, similar to how BPFNEG handles it via __mark_reg_known.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43070.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4c03342e5ac532fb34d13a7b51dd7261dfc48963
Fixed
a17443af874229408ce6b78e2c8a2b5adeb4b7d8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d00ce96623a69a100ad79675d0e85fda3c50d89b
Fixed
0d15c3611a2cc5d08993545d4032055ae10ae2c1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9d21199842247ab05c675fb9b6c6ca393a5c0024
Fixed
a3125bc01884431d30d731461634c8295b6f0529

Affected versions

v6.*
v6.18.17
v6.18.18
v6.18.19
v6.18.20
v6.19.10
v6.19.7
v6.19.8
v6.19.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43070.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.18.17
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.7
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43070.json"