PT-2026-51972 · Linux · Linux
Published
2026-06-24
·
Updated
2026-06-24
·
CVE-2026-53078
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix same-register dst/src OOB read and pointer leak in sock ops
When a BPF sock ops program accesses ctx fields with dst reg == src reg,
the SOCK OPS GET SK() and SOCK OPS GET FIELD() macros fail to zero the
destination register in the !fullsock / !locked tcp sock path.
Both macros borrow a temporary register to check is fullsock /
is locked tcp sock when dst reg == src reg, because dst reg holds the
ctx pointer. When the check is false (e.g., TCP NEW SYN RECV state with
a request sock), dst reg should be zeroed but is not, leaving the stale
ctx pointer:
-
SOCK OPS GET SK: dst reg retains the ctx pointer, passes NULL checks as PTR TO SOCKET OR NULL, and can be used as a bogus socket pointer, leading to stack-out-of-bounds access in helpers like bpf skc to tcp6 sock().
-
SOCK OPS GET FIELD: dst reg retains the ctx pointer which the verifier believes is a SCALAR VALUE, leaking a kernel pointer.
Fix both macros by:
- Changing JMP A(1) to JMP A(2) in the fullsock path to skip the added instruction.
- Adding BPF MOV64 IMM(si->dst reg, 0) after the temp register restore in the !fullsock path, placed after the restore because dst reg == src reg means we need src reg intact to read ctx->temp.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux