CVE-2026-43321 Git CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that rely on eBPF/BPF features should pay close attention, especially where kernel updates are centrally managed or delayed.

Technical summary

According to the CVE description, `compute_insn_live_regs()` did not properly mark the register used by a `gotox rX` indirect jump as live. That can cause incorrect register-liveness tracking in the BPF verifier path. The source references point to Linux kernel stable commit records that address the issue.

Defensive priority

High. This is a kernel-level flaw with local attack requirements and high CVSS impact across confidentiality, integrity, and availability.

Recommended defensive actions

• Apply the Linux kernel fix referenced by the stable commit links in the source corpus.
• Prioritize backporting or distribution updates that include the corrected BPF live-register handling.
• Verify affected kernels in fleet inventories, especially systems that expose BPF functionality to local users or workloads.
• Track the CVE and NVD records for any update to affected version ranges or remediation notes.

Evidence notes

The only supported technical details in the supplied corpus are the CVE description and the NVD reference metadata. The description states that live-register tracking in `compute_insn_live_regs()` failed to mark `rX` as used for `gotox rX`, and the NVD record cites two Linux kernel stable commit URLs as references. No exploit narrative, affected version list, or weaponized reproduction details were provided in the corpus.

Official resources