Detections
Analytics

CVE-2026-53076

critical

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix OOB in pcpu_init_value An out-of-bounds read occurs when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the same value_size that is not rounded up to 8 bytes. The issue happens when: 1. A CGROUP_STORAGE map is created with value_size not aligned to 8 bytes (e.g., 4 bytes) 2. A pcpu map is created with the same value_size (e.g., 4 bytes) 3. Update element in 2 with data in 1 pcpu_init_value assumes that all sources are rounded up to 8 bytes, and invokes copy_map_value_long to make a data copy, However, the assumption doesn't stand since there are some cases where the source may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data. the verifier verifies exactly the size that the source claims, not the size rounded up to 8 bytes by kernel, an OOB happens when the source has only 4 bytes while the copy size(4) is rounded up to 8.

References

https://git.kernel.org/stable/c/e19c5ed9f1922a6854073f8651a63fa7be26e9e9

https://git.kernel.org/stable/c/e0378419b0e20178b5d100b27c9cc7e51064202e

https://git.kernel.org/stable/c/634a793d0e1c822412095d25a1338f8831ad894c

https://git.kernel.org/stable/c/6086079e6d1c32ba4c4b422612b8aebb1129a96c

https://git.kernel.org/stable/c/576afddfee8d1108ee299bf10f581593540d1a36

Details

Source: Mitre, NVD

Published: 2026-06-24

Updated: 2026-06-24

Risk Information

CVSS v2

Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00156