In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops
When a BPF sockops program accesses ctx fields with dstreg == srcreg, the SOCKOPSGETSK() and SOCKOPSGETFIELD() macros fail to zero the destination register in the !fullsock / !lockedtcp_sock path.
Both macros borrow a temporary register to check isfullsock / islockedtcpsock when dstreg == srcreg, because dstreg holds the ctx pointer. When the check is false (e.g., TCPNEWSYNRECV state with a requestsock), dstreg should be zeroed but is not, leaving the stale ctx pointer:
SOCKOPSGETSK: dstreg retains the ctx pointer, passes NULL checks as PTRTOSOCKETORNULL, and can be used as a bogus socket pointer, leading to stack-out-of-bounds access in helpers like bpfskctotcp6sock().
SOCKOPSGETFIELD: dstreg retains the ctx pointer which the verifier believes is a SCALAR_VALUE, leaking a kernel pointer.
Fix both macros by: - Changing JMPA(1) to JMPA(2) in the fullsock path to skip the added instruction. - Adding BPFMOV64IMM(si->dstreg, 0) after the temp register restore in the !fullsock path, placed after the restore because dstreg == srcreg means we need srcreg intact to read ctx->temp.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53078.json"
}