VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45839

CVE-2026-45839

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. "0:1:2" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf("%d"), so negative values like -1 are silently accepted. The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.

When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array. A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions). The bug is reachable with CAP_BPF:

BUG: unable to handle page fault for address: ffffed11818b6626 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full) RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354) RAX: 00000000ffffffff Call Trace:

bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321) bpf_core_apply (kernel/bpf/btf.c:9507) check_core_relo (kernel/bpf/verifier.c:19475) bpf_check (kernel/bpf/verifier.c:26031) bpf_prog_load (kernel/bpf/syscall.c:3089) __sys_bpf (kernel/bpf/syscall.c:6228)

CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A negative CO-RE accessor index in BPF programs causes an out-of-bounds read in the Linux kernel, leading to a crash during BPF_PROG_LOAD.

Vulnerability

The vulnerability resides in bpf_core_parse_spec() in tools/lib/bpf/relo_core.c. CO-RE accessor strings consist of colon-separated indices (e.g., "0:1:2") that describe a path through BTF types. The function parses each component using sscanf("%d"), which accepts negative values like -1. The subsequent bounds check access_idx >= btf_vlen(t) only guards the upper bound; due to C integer promotion, a negative access_idx passes the check because (int)(-1) >= (int)(N) is false for any positive N. This affects all Linux kernel versions with CONFIG_DEBUG_INFO_BTF=y (default on major distributions) and is reachable with CAP_BPF. The bug was introduced in the initial CO-RE implementation and is present in all kernels up to the fix.

Exploitation

An attacker with CAP_BPF (or root) can craft a BPF program that includes a CO-RE relocation with a negative accessor index on any struct present in vmlinux BTF (e.g., task_struct). The program is loaded via BPF_PROG_LOAD. The negative index is parsed and then passed to btf_member_bit_offset(), where it is cast to u32 0xffffffff, causing an out-of-bounds read far past the members array. No user interaction or race condition is required; the crash occurs deterministically during the verification phase.

Impact

Successful exploitation results in a kernel crash (NULL pointer dereference or page fault) due to an out-of-bounds read. The crash is a denial-of-service (DoS) condition. The attacker gains no privilege escalation or information disclosure beyond the crash; however, the system becomes unavailable. The bug is reliably triggerable and affects any system with CONFIG_DEBUG_INFO_BTF=y.

Mitigation

The fix was committed to the Linux kernel stable tree in commits [1] and [2]. The fix adds a check to reject negative accessor indices immediately after parsing. Users should update to a kernel version containing these commits. As a workaround, systems can disable CONFIG_DEBUG_INFO_BTF or restrict CAP_BPF to trusted users. No KEV listing is known at this time.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
3ff85ae79e1a

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWeiming ShiFixed in 6.6.141via kernel-cna
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 63a4d5ad12d1a3..04c8febfc0aa73 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -293,6 +293,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg
1c22483a2c4b

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWeiming ShiFixed in 7.1-rc1via kernel-cna
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 6eea5edba58a58..0ccc8f548cbaab 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -292,6 +292,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg
99dbab7b5a12

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWeiming ShiFixed in 7.0.10via kernel-cna
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 6eea5edba58a58..0ccc8f548cbaab 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -292,6 +292,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg
76f2ebaf79a9

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWeiming ShiFixed in 6.18.33via kernel-cna
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 6eea5edba58a58..0ccc8f548cbaab 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -292,6 +292,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg
36a9012f76ba

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWeiming ShiFixed in 6.12.91via kernel-cna
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 63a4d5ad12d1a3..04c8febfc0aa73 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -293,6 +293,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg
99dbab7b5a12

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWeiming Shivia nvd-ref
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 6eea5edba58a58..0ccc8f548cbaab 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -292,6 +292,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg
36a9012f76ba

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWeiming Shivia nvd-ref
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 63a4d5ad12d1a3..04c8febfc0aa73 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -293,6 +293,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg
76f2ebaf79a9

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWeiming Shivia nvd-ref
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 6eea5edba58a58..0ccc8f548cbaab 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -292,6 +292,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg
1c22483a2c4b

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWeiming Shivia nvd-ref
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 6eea5edba58a58..0ccc8f548cbaab 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -292,6 +292,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg
3ff85ae79e1a

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWeiming Shivia nvd-ref
commit
1 file changed · +2 1
  • tools/lib/bpf/relo_core.c+2 1 modified
    diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 63a4d5ad12d1a3..04c8febfc0aa73 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -293,6 +293,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
 			++spec_str;
 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
 			return -EINVAL;
+		if (access_idx < 0)
+			return -EINVAL;
 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
 			return -E2BIG;
 		spec_str += parsed_len;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing input validation in bpf_core_parse_spec() allows negative CO-RE accessor indices to bypass bounds checks, leading to an out-of-bounds read."

Attack vector

An attacker with `CAP_BPF` can craft a BPF program containing a CO-RE relocation with a negative accessor index (e.g., -1) in the accessor string. The `bpf_core_parse_spec()` function parses this value with `sscanf("%d")`, which silently accepts negative numbers. The subsequent upper-bound check (`access_idx >= btf_vlen(t)`) passes because C integer promotion converts the `__u16` result to `int`, making the comparison `(int)(-1) >= (int)(N)` false for any positive N. The negative value is later cast to `u32 0xffffffff` in `btf_member_bit_offset()`, causing an out-of-bounds read far past the members array. This deterministically crashes the kernel during `BPF_PROG_LOAD` on any system with `CONFIG_DEBUG_INFO_BTF=y` (default on major distributions) [patch_id=2654212].

Affected code

The vulnerability resides in `bpf_core_parse_spec()` in `tools/lib/bpf/relo_core.c`. The function parses colon-separated CO-RE accessor indices using `sscanf("%d")` without validating that the parsed value is non-negative [patch_id=2654212].

What the fix does

The patch adds a single check `if (access_idx

Preconditions

  • authAttacker must have CAP_BPF capability
  • configSystem must have CONFIG_DEBUG_INFO_BTF=y (default on major distributions)
  • inputAttacker must submit a crafted BPF program with a negative CO-RE accessor index

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.