CVE-2026-45932 Linux CVE debrief

Who should care

Linux system administrators, kernel security teams, and organizations using BPF-based network security controls on tcx or netkit interfaces. Cloud providers and container platforms relying on BPF for network policy enforcement should prioritize patching.

Technical summary

The BPF subsystem in the Linux kernel failed to validate capabilities when processing BPF_PROG_DETACH operations on tcx (TC eXpress Data Path) and netkit devices without an explicit program file descriptor. Normally, providing a program fd allows the kernel to verify ownership; however, the alternative path that detaches by device/index alone lacked CAP_NET_ADMIN or CAP_SYS_ADMIN checks. This permitted any local user to remove BPF programs from these network interfaces, potentially disrupting network filtering, monitoring, or redirection policies. The resolution adds capability verification to this code path, ensuring only privileged users can perform detach operations without explicit program ownership.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable tree commits referenced in official sources
• Verify BPF detach operations require appropriate capabilities in deployed kernels
• Review systems with unprivileged BPF access for unauthorized program detachment
• Monitor for anomalous BPF program state changes on tcx/netkit interfaces

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-27. Three kernel.org stable tree commits are referenced as resolution sources. The vendor identification carries low confidence and requires review, with 'Kernel' identified as a reference domain candidate.

Official resources