CVE-2026-45933 Linux CVE debrief

Who should care

Linux system administrators, kernel security teams, organizations running containerized workloads with BPF support, and security researchers tracking kernel verifier vulnerabilities

Technical summary

The BPF verifier's sync_linked_regs() function propagates bounds from a known register to linked registers but incorrectly copies the BPF_ADD_CONST flag along with the bounds. When a register with BPF_ADD_CONST is later copied to another register, assign_scalar_id_before_mov() assigns a new ID instead of preserving the existing link. This breaks the chain of register relationships, preventing subsequent bounds updates from propagating correctly. The demonstrated impact is a division by zero that passes verification due to stale bounds information. The fix preserves the original register ID during synchronization, maintaining proper register relationships throughout verification.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates containing the fix for CVE-2026-45933 to affected systems
• Verify running kernel version includes commit 58059335e46537de682db84984f7716c813208c4 or equivalent backports
• Review systems allowing unprivileged BPF for exposure assessment
• Monitor for kernel security advisories from distribution maintainers

Evidence notes

The vulnerability was resolved in the Linux kernel with a fix that preserves register ID in sync_linked_regs() alongside off and subreg_def fields. The issue was demonstrated through a selftest showing how broken register links allowed a division by zero to pass verification. Multiple stable kernel branches received patches.

Official resources