BPF_END Logic Flaw in Linux Kernel Affecting Memory Safety
CVE-2026-43070

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-43070?

A vulnerability exists in the Linux kernel related to the BPF_END operation, which improperly maintains register ID ties during byte swap operations. When a register that has undergone a BPF_END operation shares an ID with another register due to an assignment, the verification process fails to reset the destination register's ID. This oversight can result in incorrect propagation of learned bounds, potentially allowing for unsafe memory access patterns.

Affected Version(s)

Linux 4c03342e5ac532fb34d13a7b51dd7261dfc48963

Linux d00ce96623a69a100ad79675d0e85fda3c50d89b < 0d15c3611a2cc5d08993545d4032055ae10ae2c1

Linux 9d21199842247ab05c675fb9b6c6ca393a5c0024

References

https://git.kernel.org/stable/c/a17443af874229408ce6b78e2...

https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4...

https://git.kernel.org/stable/c/a3125bc01884431d30d731461...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43070 Data

JSON