CVE-2026-53092

Source
https://cve.org/CVERecord?id=CVE-2026-53092
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53092.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53092
Downstream
Published
2026-06-24T16:30:31.168Z
Modified
2026-07-15T01:49:06.966388498Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
bpf: Fix linked reg delta tracking when src_reg == dst_reg
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix linked reg delta tracking when srcreg == dstreg

Consider the case of rX += rX where srcreg and dstreg are pointers to the same bpfregstate in adjustregminmaxvals(). The latter first modifies the dstreg in-place, and later in the delta tracking, the subsequent isregconst(srcreg)/regconstvalue(src_reg) reads the post-{add,sub} value instead of the original source.

This is problematic since it sets an incorrect delta, which synclinkedregs() then propagates to linked registers, thus creating a verifier-vs-runtime mismatch. Fix it by just skipping this corner case.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53092.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
98d7ca374ba4b39e7535613d40e159f09ca14da2
Fixed
d88e8e4a3b52bd5b2ff3eceba4b29d1b5506d066
Fixed
cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de
Fixed
d7f14173c0d5866c3cae759dee560ad1bed10d2e

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53092.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53092.json"