Kernel Vulnerability in Linux Affecting Atomic Fetch Operations
CVE-2026-43009

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-43009?

A vulnerability exists in the Linux kernel impacting BPF atomic fetch operations. The issue arises when the backtrack_insn function encounters a BPF_STX instruction with BPF_ATOMIC and BPF_FETCH. In this scenario, the source register also acts as a destination, which can mistakenly lead to an incorrect state in the stack precision tracking. This flaw can allow the verifier's path pruning logic to erroneously treat divergent states as if they were equivalent, potentially affecting the execution flow and stability of applications relying on accurate memory management. A fix has been implemented to enhance the handling of these atomic fetch instructions, ensuring precision is correctly propagated to stack locations, prompting developers to update their systems to maintain security.

Affected Version(s)

Linux 5ca419f2864a2c60940dcf4bbaeb69546200e36f < 7ffbe45b1d227e24659998a91cfd4c27af457e71

Linux 5ca419f2864a2c60940dcf4bbaeb69546200e36f < 179ee84a89114b854ac2dd1d293633a7f6c8dac1

Linux 5.12

References

https://git.kernel.org/stable/c/7ffbe45b1d227e24659998a91...

https://git.kernel.org/stable/c/179ee84a89114b854ac2dd1d2...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43009 Data

JSON