CVE-2026-43070 Linux CVE debrief

Who should care

Linux kernel maintainers, security operations teams running eBPF workloads, and organizations with unprivileged BPF enabled on multi-tenant or edge systems.

Technical summary

The BPF verifier tracks scalar values across registers using shared IDs. When BPF_END mutates a register in-place, the existing code does not clear dst_reg->id, so the swapped register remains tied to its original scalar ID. A subsequent conditional branch on the swapped register then propagates bounds to the linked register as if it had also been swapped, producing incorrect range information. An attacker can leverage this to pass verification with unsafe memory accesses. The resolution adds an explicit dst_reg->id = 0 assignment in the BPF_END handling path, breaking the scalar tie and preventing erroneous bounds propagation.

Defensive priority

HIGH

Recommended defensive actions

• Apply the relevant stable kernel patch for your branch (6.18.x, 6.19.x, or 7.0-rc) to ensure the BPF verifier resets dst_reg->id after BPF_END operations.
• Rebuild and deploy the updated kernel; BPF programs loaded after the fix will be correctly verified.
• If immediate patching is not possible, restrict unprivileged BPF usage (e.g., kernel.unprivileged_bpf_disabled=1) to reduce attack surface, noting this may affect legitimate eBPF tooling.
• Audit systems for unexpected kernel panics or privilege-escalation indicators that could stem from BPF-based exploitation.

Evidence notes

The vulnerability description was published 2026-05-05 and last modified 2026-05-29. NVD lists the flaw as Analyzed with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and CWE-125 (Out-of-bounds Read). Affected versions include Linux kernel 6.18.17 through 6.18.20, 6.19.7 through 6.19.10, and 7.0-rc1 through 7.0-rc4. Three stable-tree patches are referenced.

Official resources