Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45971

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Limit bpf program signature size

Practical BPF signatures are significantly smaller than KMALLOC_MAX_CACHE_SIZE

Allowing larger sizes opens the door for abuse by passing excessive size values and forcing the kernel into expensive allocation paths (via kmalloc_large or vmalloc).

Affected products

Linux/Kernelllm-fuzzy

Patches

ea1535e28bb3

bpf: Limit bpf program signature size

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKP SinghFixed in 7.0via kernel-cna

commit

1 file changed · +7 −1

kernel/bpf/syscall.c+7 −1 modified

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5f59dd47a5b1c3..93bc0f4c65c57b 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2813,6 +2813,13 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
 	void *sig;
 	int err = 0;
 
+	/*
+	 * Don't attempt to use kmalloc_large or vmalloc for signatures.
+	 * Practical signature for BPF program should be below this limit.
+	 */
+	if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE)
+		return -EINVAL;
+
 	if (system_keyring_id_check(attr->keyring_id) == 0)
 		key = bpf_lookup_system_key(attr->keyring_id);
 	else
-- 
cgit 1.3-korg

5835a077c6f5

bpf: Limit bpf program signature size

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKP SinghFixed in 6.18.14via kernel-cna

commit

1 file changed · +7 −1

kernel/bpf/syscall.c+7 −1 modified

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index f39367765f0c4f..2649e0472dfe04 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2825,6 +2825,13 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
 	void *sig;
 	int err = 0;
 
+	/*
+	 * Don't attempt to use kmalloc_large or vmalloc for signatures.
+	 * Practical signature for BPF program should be below this limit.
+	 */
+	if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE)
+		return -EINVAL;
+
 	if (system_keyring_id_check(attr->keyring_id) == 0)
 		key = bpf_lookup_system_key(attr->keyring_id);
 	else
-- 
cgit 1.3-korg

eb8166c79097

bpf: Limit bpf program signature size

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKP SinghFixed in 6.19.4via kernel-cna

commit

1 file changed · +7 −1

kernel/bpf/syscall.c+7 −1 modified

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 763868d327b4a7..f89aa142f71b8a 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2815,6 +2815,13 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
 	void *sig;
 	int err = 0;
 
+	/*
+	 * Don't attempt to use kmalloc_large or vmalloc for signatures.
+	 * Practical signature for BPF program should be below this limit.
+	 */
+	if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE)
+		return -EINVAL;
+
 	if (system_keyring_id_check(attr->keyring_id) == 0)
 		key = bpf_lookup_system_key(attr->keyring_id);
 	else
-- 
cgit 1.3-korg

eb8166c79097

bpf: Limit bpf program signature size

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKP Singhvia nvd-ref

commit

1 file changed · +7 −1

kernel/bpf/syscall.c+7 −1 modified

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 763868d327b4a7..f89aa142f71b8a 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2815,6 +2815,13 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
 	void *sig;
 	int err = 0;
 
+	/*
+	 * Don't attempt to use kmalloc_large or vmalloc for signatures.
+	 * Practical signature for BPF program should be below this limit.
+	 */
+	if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE)
+		return -EINVAL;
+
 	if (system_keyring_id_check(attr->keyring_id) == 0)
 		key = bpf_lookup_system_key(attr->keyring_id);
 	else
-- 
cgit 1.3-korg

5835a077c6f5

bpf: Limit bpf program signature size

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKP Singhvia nvd-ref

commit

1 file changed · +7 −1

kernel/bpf/syscall.c+7 −1 modified

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index f39367765f0c4f..2649e0472dfe04 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2825,6 +2825,13 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
 	void *sig;
 	int err = 0;
 
+	/*
+	 * Don't attempt to use kmalloc_large or vmalloc for signatures.
+	 * Practical signature for BPF program should be below this limit.
+	 */
+	if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE)
+		return -EINVAL;
+
 	if (system_keyring_id_check(attr->keyring_id) == 0)
 		key = bpf_lookup_system_key(attr->keyring_id);
 	else
-- 
cgit 1.3-korg

ea1535e28bb3

bpf: Limit bpf program signature size

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKP Singhvia nvd-ref

commit

1 file changed · +7 −1

kernel/bpf/syscall.c+7 −1 modified

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5f59dd47a5b1c3..93bc0f4c65c57b 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2813,6 +2813,13 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
 	void *sig;
 	int err = 0;
 
+	/*
+	 * Don't attempt to use kmalloc_large or vmalloc for signatures.
+	 * Practical signature for BPF program should be below this limit.
+	 */
+	if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE)
+		return -EINVAL;
+
 	if (system_keyring_id_check(attr->keyring_id) == 0)
 		key = bpf_lookup_system_key(attr->keyring_id);
 	else
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing upper-bound validation on signature_size allows an attacker to force the kernel into expensive kmalloc_large or vmalloc allocation paths."

Attack vector

An attacker with the ability to invoke the BPF program signature verification path (via the `BPF_PROG_LOAD` syscall with a signature) can pass an excessively large `signature_size` value in the `union bpf_attr` structure. Without the size check, the kernel would attempt to allocate memory via `kmalloc_large` or `vmalloc` for the oversized signature, forcing expensive allocation paths that could degrade system performance or contribute to resource exhaustion [patch_id=2660845].

Affected code

The vulnerability is in the `bpf_prog_verify_signature` function in `kernel/bpf/syscall.c` [patch_id=2660845]. The function did not validate the `attr->signature_size` parameter before using it for memory allocation.

What the fix does

The patch adds a single check at the top of `bpf_prog_verify_signature` that returns `-EINVAL` if `attr->signature_size > KMALLOC_MAX_CACHE_SIZE` [patch_id=2660845]. This prevents the kernel from ever attempting `kmalloc_large` or `vmalloc` for signature buffers, limiting allocations to the slab-backed `kmalloc` caches which are efficient and bounded. The comment in the patch explicitly states the rationale: practical BPF signatures are significantly smaller than `KMALLOC_MAX_CACHE_SIZE`, so this limit does not affect legitimate use cases.

Preconditions

authAttacker must be able to invoke the BPF program signature verification path, typically via the BPF_PROG_LOAD syscall with a signature attribute
inputAttacker must be able to pass a controlled signature_size value in the bpf_attr union

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000