CVE-2023-54181
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix issue in verifying allow_ptr_leaks
After we converted the capabilities of our networking-bpf program from cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program failed to start. Because it failed the bpf verifier, and the error log is "R3 pointer comparison prohibited".
A simple reproducer as follows,
SEC("cls-ingress") int ingress(struct __sk_buff *skb) { struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
if ((long)(iph + 1) > (long)skb->data_end) return TC_ACT_STOLEN; return TC_ACT_OK; }
Per discussion with Yonghong and Alexei [1], comparison of two packet pointers is not a pointer leak. This patch fixes it.
Our local kernel is 6.1.y and we expect this fix to be backported to 6.1.y, so stable is CCed.
[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel BPF verifier bug incorrectly flagged comparison of two packet pointers as a pointer leak, breaking programs using CAP_NET_ADMIN+CAP_BPF.
Vulnerability
A bug in the Linux kernel's BPF verifier caused it to incorrectly reject programs that compare two packet pointers (e.g., checking if (iph + 1) > skb->data_end). The verifier treated such comparisons as a pointer leak, even though comparing two pointers derived from the same packet context does not expose kernel memory addresses. This issue was discovered after a networking BPF program that switched from CAP_SYS_ADMIN to CAP_NET_ADMIN+CAP_BPF started failing with the error "R3 pointer comparison prohibited" [1].
Exploitation
No special privileges beyond those needed to load BPF programs are required to trigger the bug. An attacker who can load a crafted BPF program (e.g., via cls-ingress in tc) could cause the verifier to reject legitimate packet parsing logic, leading to denial of service for network filtering or monitoring functionality. The bug is triggered by any BPF program that performs a relational comparison between two pointers derived from the packet data, such as bounds checking [1].
Impact
The primary impact is denial of service: legitimate BPF programs that perform packet pointer comparisons are rejected by the verifier, preventing them from loading and executing. This can disrupt network security monitoring, traffic shaping, or other BPF-based networking features. There is no evidence of memory corruption or privilege escalation [1].
Mitigation
The fix was committed to the Linux kernel and backport branches for stable kernels, including 6.1.y. Users should apply the kernel patch referenced in the commit [1]. No workaround exists other than updating the kernel or avoiding BPF programs that compare packet pointers from the same packet context.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4c96c67991aac5927f0172d28acfdc8b77016d75e30dddf73Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.