{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43070", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.982Z", "datePublished": "2026-05-05T15:23:28.819Z", "dateUpdated": "2026-05-11T22:17:08.258Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:17:08.258Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reset register ID for BPF_END value tracking\n\nWhen a register undergoes a BPF_END (byte swap) operation, its scalar\nvalue is mutated in-place. If this register previously shared a scalar ID\nwith another register (e.g., after an `r1 = r0` assignment), this tie must\nbe broken.\n\nCurrently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.\nConsequently, if a conditional jump checks the swapped register, the\nverifier incorrectly propagates the learned bounds to the linked register,\nleading to false confidence in the linked register's value and potentially\nallowing out-of-bounds memory accesses.\n\nFix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case\nto break the scalar tie, similar to how BPF_NEG handles it via\n`__mark_reg_known`."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "4c03342e5ac532fb34d13a7b51dd7261dfc48963", "lessThan": "a17443af874229408ce6b78e2c8a2b5adeb4b7d8", "status": "affected", "versionType": "git"}, {"version": "d00ce96623a69a100ad79675d0e85fda3c50d89b", "lessThan": "0d15c3611a2cc5d08993545d4032055ae10ae2c1", "status": "affected", "versionType": "git"}, {"version": "9d21199842247ab05c675fb9b6c6ca393a5c0024", "lessThan": "a3125bc01884431d30d731461634c8295b6f0529", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "6.18.17", "lessThan": "6.18.21", "status": "affected", "versionType": "semver"}, {"version": "6.19.7", "lessThan": "6.19.11", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.17", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.7", "versionEndExcluding": "6.19.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8"}, {"url": "https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1"}, {"url": "https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529"}], "title": "bpf: Reset register ID for BPF_END value tracking", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reset register ID for BPF_END value tracking\n\nWhen a register undergoes a BPF_END (byte swap) operation, its scalar\nvalue is mutated in-place. If this register previously shared a scalar ID\nwith another register (e.g., after an `r1 = r0` assignment), this tie must\nbe broken.\n\nCurrently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.\nConsequently, if a conditional jump checks the swapped register, the\nverifier incorrectly propagates the learned bounds to the linked register,\nleading to false confidence in the linked register's value and potentially\nallowing out-of-bounds memory accesses.\n\nFix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case\nto break the scalar tie, similar to how BPF_NEG handles it via\n`__mark_reg_known`."}], "id": "CVE-2026-43070", "lastModified": "2026-05-08T13:16:37.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-05-05T16:16:16.320", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: bpf: Reset register ID for BPF_END value tracking", "id": "2466789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466789"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-805", "details": ["A flaw was found in the Linux kernel's BPF (Berkeley Packet Filter) verifier. The verifier fails to correctly reset a register's ID after a BPF_END (byte swap) operation. This oversight can lead to the verifier incorrectly propagating learned memory bounds to other registers, creating false confidence in their values. Consequently, this could enable an attacker to perform out-of-bounds memory accesses, potentially leading to system instability or privilege escalation."], "name": "CVE-2026-43070", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43070\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43070\nhttps://lore.kernel.org/linux-cve-announce/2026050533-CVE-2026-43070-bcf9@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4c03342e5ac532fb34d13a7b51dd7261dfc48963,a17443af874229408ce6b78e2c8a2b5adeb4b7d8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d00ce96623a69a100ad79675d0e85fda3c50d89b,0d15c3611a2cc5d08993545d4032055ae10ae2c1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9d21199842247ab05c675fb9b6c6ca393a5c0024,a3125bc01884431d30d731461634c8295b6f0529)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.18.17,6.18.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.19.7,6.19.11)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-05-05T18:00:12.703555+00:00", "updated": "2026-05-08T15:30:05.405042+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-665", "CWE-805"]}