CVE-2026-45839

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the Linux kernel where the bpf core parse spec() function fails to reject negative CO-RE (Compile Once - Run Everywhere) accessor indices. CO-RE accessor strings use colon-separated indices to describe a path from a root BTF (BPF Type Format) type to a target field. Because these indices are parsed using sscanf("%d"), negative values are accepted. Subsequent bounds checks only verify the upper bound, allowing negative values to pass due to C integer promotion. When a negative value reaches btf member bit offset(), it is cast to u32 0xffffffff, resulting in an out-of-bounds read. A crafted BPF program utilizing a negative CO-RE accessor on a struct within the vmlinux BTF can cause a deterministic kernel crash during BPF PROG LOAD on systems with CONFIG DEBUG INFO BTF=y. This is reachable with CAP BPF privileges.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.