CVE-2026-45839

Source
https://cve.org/CVERecord?id=CVE-2026-45839
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45839.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45839
Downstream
Related
Published
2026-05-27T09:24:37.855Z
Modified
2026-07-15T01:49:06.292376589Z
Summary
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: reject negative CO-RE accessor indices in bpfcoreparse_spec()

CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. "0:1:2" walks through nested struct members. bpfcoreparsespec() parses each component with sscanf("%d"), so negative values like -1 are silently accepted. The subsequent bounds checks (accessidx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the _u16 btfvlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.

When -1 reaches btfmemberbitoffset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array. A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. taskstruct) crashes the kernel deterministically during BPFPROGLOAD on any system with CONFIGDEBUGINFOBTF=y (default on major distributions). The bug is reachable with CAPBPF:

BUG: unable to handle page fault for address: ffffed11818b6626 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full) RIP: 0010:bpfcoreparsespec (tools/lib/bpf/relocore.c:354) RAX: 00000000ffffffff Call Trace: <TASK> bpfcorecalcreloinsn (tools/lib/bpf/relocore.c:1321) bpfcoreapply (kernel/bpf/btf.c:9507) checkcorerelo (kernel/bpf/verifier.c:19475) bpfcheck (kernel/bpf/verifier.c:26031) bpfprog_load (kernel/bpf/syscall.c:3089) _sysbpf (kernel/bpf/syscall.c:6228) </TASK>

CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45839.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ddc7c3042614e273044f698d2beab25cc3842d45
Fixed
a9e777f856cd2f1efc106afc7bf21aef868509d5
Fixed
669349b4612c26b3d7aacfa99d7174681bd19223
Fixed
3ff85ae79e1a74baeb916b78a63d821f6d19a994
Fixed
36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a
Fixed
76f2ebaf79a9ae6d0737b87f045fe769e425d78f
Fixed
99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2
Fixed
1c22483a2c4bbf747787f328392ca3e68619c4dc

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45839.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.4.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45839.json"