CVE-2026-43010
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Reject sleepable kprobe_multi programs at attach time
kprobe.multi programs run in atomic/RCU context and cannot sleep. However, bpf_kprobe_multi_link_attach() did not validate whether the program being attached had the sleepable flag set, allowing sleepable helpers such as bpf_copy_from_user() to be invoked from a non-sleepable context.
This causes a "sleeping function called from invalid context" splat:
BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 0
Fix this by rejecting sleepable programs early in bpf_kprobe_multi_link_attach(), before any further processing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel BPF subsystem failed to reject sleepable kprobe_multi programs, allowing invocations of sleeping helpers from atomic context, triggering kernel splats.
Vulnerability
The Linux kernel's BPF subsystem lacked a check in bpf_kprobe_multi_link_attach() to reject programs marked with the sleepable flag. Since kprobe.multi programs execute in atomic/RCU context, they must never invoke helpers that can sleep, such as bpf_copy_from_user(). The missing validation allowed such programs to be attached, leading to a "sleeping function called from invalid context" kernel splat, observed for example at include/linux/uaccess.h:169 [1].
Exploitation
To trigger this issue, an attacker must have the ability to load and attach a BPF program with the BPF_F_SLEEPABLE flag to a kprobe.multi link. This requires either privileged access (typically root or CAP_BPF and CAP_PERFMON) or a pre-existing means to load arbitrary BPF programs. The attack surface is limited to systems where unprivileged BPF is enabled or where a local attacker already has sufficient privileges.
Impact
When a sleepable helper is called from the atomic kprobe context, the kernel may attempt to reschedule or block, which is forbidden. This results in a BUG() splat, causing a kernel panic or a crash depending on the kernel configuration. The immediate consequence is denial of service; under some configurations, it might also allow speculative side-channel information disclosure, though the primary impact is system instability.
Mitigation
The fix is to add a check in bpf_kprobe_multi_link_attach() to reject any program that has the BPF_F_SLEEPABLE flag. The patch has been applied to the stable kernel branches [1][2][3]. Administrators should apply the updated kernel or backport the commit to their running kernel. No workaround is available other than restricting BPF program loading to trusted users.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.18,<6.18.22
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026