VYPR
← All advisories
Low severity3.3NVD Advisory· Published Jun 3, 2026· Updated Jun 3, 2026

CVE-2026-10722

CVE-2026-10722

Description

A local integer overflow vulnerability in cilium/ebpf's BTF parser can lead to a denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A local integer overflow vulnerability in cilium/ebpf's BTF parser can lead to a denial of service.

Vulnerability

A vulnerability exists in the btf/btf.go file within the loadRawSpec function of the cilium/ebpf library, affecting versions up to 0.21.0 [1, 2]. This issue stems from an integer overflow caused by the manipulation of the offset argument, specifically when processing BTF string-table entries. The vulnerability is triggered when parsing malformed BTF or BTF.ext metadata, where a non-zero string offset equal to BTF StringLen is incorrectly treated as valid [2].

Exploitation

An attacker must have local access to the system to exploit this vulnerability. The exploit involves providing a specially crafted ELF file containing malformed BTF metadata to the LoadCollectionSpec or LoadCollectionSpecFromReader APIs. This malformed input causes the parser to incorrectly handle string offsets, leading to an integer overflow and subsequent parser panic [1, 2].

Impact

Successful exploitation of this vulnerability results in a denial of service (DoS) for the affected process. The cilium/ebpf parser panics when encountering the malformed input, crashing the application that attempts to load the eBPF collection specification. The demonstrated impact is limited to DoS, with no other privileges or information disclosure mentioned in the available references [2].

Mitigation

A patch addressing this issue was released on May 27, 2026, as part of pull request #2021 in the cilium/ebpf repository [4]. The fix involves casting uint32 values to uint64 before addition to prevent integer overflow and adding checks for null terminators in string tables to prevent panics. Users should update to a version of cilium/ebpf that includes this fix. No specific fixed version number is provided, but the patch commit is 533dfc82fd228bfadf42ea7180c39de7d9af47fa [1].

References
  1. Systemic BTF String-Table Offset Validation Flaw in cilium/ebpf Causes Parser Panic and Denial of Service
  2. BTF string offset boundary check can panic parser on malformed ELF/BTF input
  3. BTF: fixed panics during parsing of malformed input by dylandreimerink · Pull Request #2021 · cilium/ebpf

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
533dfc82fd22

btf: Fixed integer overflow in length checking

https://github.com/cilium/ebpfDylan ReimerinkMay 27, 2026via nvd-ref
commitPR #2021
1 file changed · +2 2
  • btf/btf.go+2 2 modified
    @@ -214,7 +214,7 @@ func loadRawSpec(btf []byte, base *Spec) (*Spec, error) {
 	}
 	btf = btf[header.HdrLen:]
 
-	if int(header.StringOff+header.StringLen) > len(btf) {
+	if uint64(header.StringOff)+uint64(header.StringLen) > uint64(len(btf)) {
 		return nil, fmt.Errorf("string table is out of bounds")
 	}
 	stringsSection := btf[header.StringOff : header.StringOff+header.StringLen]
@@ -224,7 +224,7 @@ func loadRawSpec(btf []byte, base *Spec) (*Spec, error) {
 		return nil, fmt.Errorf("read string section: %w", err)
 	}
 
-	if int(header.TypeOff+header.TypeLen) > len(btf) {
+	if uint64(header.TypeOff)+uint64(header.TypeLen) > uint64(len(btf)) {
 		return nil, fmt.Errorf("types section is out of bounds")
 	}
 	typesSection := btf[header.TypeOff : header.TypeOff+header.TypeLen]

Vulnerability mechanics

Root cause

"Integer overflow in bounds checking for string and type sections of BTF data."

Attack vector

An attacker with local access can craft a malformed ELF file with specific values for `StringOff`, `StringLen`, `TypeOff`, and `TypeLen`. When the `loadRawSpec` function processes this malformed input, the integer overflow during the bounds check allows the parser to access memory out of bounds, leading to a denial of service. This vulnerability can only be exploited from a local environment [ref_id=1].

Affected code

The vulnerability resides in the `loadRawSpec` function within the `btf/btf.go` file. Specifically, the checks for `header.StringOff + header.StringLen` and `header.TypeOff + header.TypeLen` against the total length of the `btf` byte slice are susceptible to integer overflow [ref_id=2].

What the fix does

The patch addresses the integer overflow by casting the `uint32` values of `StringOff` and `StringLen` (and similarly for `TypeOff` and `TypeLen`) to `uint64` before performing addition and comparison. This prevents the overflow from occurring when these values are large, ensuring that the bounds check correctly identifies out-of-bounds conditions and returns an error instead of causing a panic [ref_id=2][patch_id=4655745].

Preconditions

  • inputThe attacker must provide a malformed ELF file with crafted BTF metadata.
  • authThe attacker must have local access to the system running the vulnerable code.

Reproduction

go run ghsa-btf-string-offset-gist/mutate_elf.go \ -in cmd/bpf2go/testdata/minimal-el.elf \ -out /tmp/cilium-ebpf-btf-nameoff-eq-stringlen.elf

go run ghsa-btf-string-offset-gist/worker_dos_poc.go \ -input cmd/bpf2go/testdata/minimal-el.elf

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.