CVE-2026-43009 (GCVE-0-2026-43009)

Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
Title
bpf: Fix incorrect pruning due to atomic fetch precision tracking
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix incorrect pruning due to atomic fetch precision tracking When backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC and BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as a destination, thus receiving the old value from the memory location. The current backtracking logic does not account for this. It treats atomic fetch operations the same as regular stores where the src register is only an input. This leads the backtrack_insn to fail to propagate precision to the stack location, which is then not marked as precise! Later, the verifier's path pruning can incorrectly consider two states equivalent when they differ in terms of stack state. Meaning, two branches can be treated as equivalent and thus get pruned when they should not be seen as such. Fix it as follows: Extend the BPF_LDX handling in backtrack_insn to also cover atomic fetch operations via is_atomic_fetch_insn() helper. When the fetch dst register is being tracked for precision, clear it, and propagate precision over to the stack slot. For non-stack memory, the precision walk stops at the atomic instruction, same as regular BPF_LDX. This covers all fetch variants. Before: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit After: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0 mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1 mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 5ca419f2864a2c60940dcf4bbaeb69546200e36f , < 7ffbe45b1d227e24659998a91cfd4c27af457e71 (git)
Affected: 5ca419f2864a2c60940dcf4bbaeb69546200e36f , < 179ee84a89114b854ac2dd1d293633a7f6c8dac1 (git)
Create a notification for this product.
    Linux Linux Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 6.19.12 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7ffbe45b1d227e24659998a91cfd4c27af457e71",
              "status": "affected",
              "version": "5ca419f2864a2c60940dcf4bbaeb69546200e36f",
              "versionType": "git"
            },
            {
              "lessThan": "179ee84a89114b854ac2dd1d293633a7f6c8dac1",
              "status": "affected",
              "version": "5ca419f2864a2c60940dcf4bbaeb69546200e36f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix incorrect pruning due to atomic fetch precision tracking\n\nWhen backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC\nand BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as\na destination, thus receiving the old value from the memory location.\n\nThe current backtracking logic does not account for this. It treats\natomic fetch operations the same as regular stores where the src\nregister is only an input. This leads the backtrack_insn to fail to\npropagate precision to the stack location, which is then not marked\nas precise!\n\nLater, the verifier\u0027s path pruning can incorrectly consider two states\nequivalent when they differ in terms of stack state. Meaning, two\nbranches can be treated as equivalent and thus get pruned when they\nshould not be seen as such.\n\nFix it as follows: Extend the BPF_LDX handling in backtrack_insn to\nalso cover atomic fetch operations via is_atomic_fetch_insn() helper.\nWhen the fetch dst register is being tracked for precision, clear it,\nand propagate precision over to the stack slot. For non-stack memory,\nthe precision walk stops at the atomic instruction, same as regular\nBPF_LDX. This covers all fetch variants.\n\nBefore:\n\n  0: (b7) r1 = 8                        ; R1=8\n  1: (7b) *(u64 *)(r10 -8) = r1         ; R1=8 R10=fp0 fp-8=8\n  2: (b7) r2 = 0                        ; R2=0\n  3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)          ; R2=8 R10=fp0 fp-8=mmmmmmmm\n  4: (bf) r3 = r10                      ; R3=fp0 R10=fp0\n  5: (0f) r3 += r2\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n  mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\n  mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\n  mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0\n  6: R2=8 R3=fp8\n  6: (b7) r0 = 0                        ; R0=0\n  7: (95) exit\n\nAfter:\n\n  0: (b7) r1 = 8                        ; R1=8\n  1: (7b) *(u64 *)(r10 -8) = r1         ; R1=8 R10=fp0 fp-8=8\n  2: (b7) r2 = 0                        ; R2=0\n  3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)          ; R2=8 R10=fp0 fp-8=mmmmmmmm\n  4: (bf) r3 = r10                      ; R3=fp0 R10=fp0\n  5: (0f) r3 += r2\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n  mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\n  mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\n  mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0\n  mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1\n  mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8\n  6: R2=8 R3=fp8\n  6: (b7) r0 = 0                        ; R0=0\n  7: (95) exit"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-03T05:46:02.230Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7ffbe45b1d227e24659998a91cfd4c27af457e71"
        },
        {
          "url": "https://git.kernel.org/stable/c/179ee84a89114b854ac2dd1d293633a7f6c8dac1"
        }
      ],
      "title": "bpf: Fix incorrect pruning due to atomic fetch precision tracking",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43009",
    "datePublished": "2026-05-01T14:15:16.271Z",
    "dateReserved": "2026-05-01T14:12:55.974Z",
    "dateUpdated": "2026-05-03T05:46:02.230Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43009",
      "date": "2026-05-04",
      "epss": "0.00013",
      "percentile": "0.02103"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43009\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-01T15:16:44.770\",\"lastModified\":\"2026-05-03T07:16:21.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix incorrect pruning due to atomic fetch precision tracking\\n\\nWhen backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC\\nand BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as\\na destination, thus receiving the old value from the memory location.\\n\\nThe current backtracking logic does not account for this. It treats\\natomic fetch operations the same as regular stores where the src\\nregister is only an input. This leads the backtrack_insn to fail to\\npropagate precision to the stack location, which is then not marked\\nas precise!\\n\\nLater, the verifier\u0027s path pruning can incorrectly consider two states\\nequivalent when they differ in terms of stack state. Meaning, two\\nbranches can be treated as equivalent and thus get pruned when they\\nshould not be seen as such.\\n\\nFix it as follows: Extend the BPF_LDX handling in backtrack_insn to\\nalso cover atomic fetch operations via is_atomic_fetch_insn() helper.\\nWhen the fetch dst register is being tracked for precision, clear it,\\nand propagate precision over to the stack slot. For non-stack memory,\\nthe precision walk stops at the atomic instruction, same as regular\\nBPF_LDX. This covers all fetch variants.\\n\\nBefore:\\n\\n  0: (b7) r1 = 8                        ; R1=8\\n  1: (7b) *(u64 *)(r10 -8) = r1         ; R1=8 R10=fp0 fp-8=8\\n  2: (b7) r2 = 0                        ; R2=0\\n  3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)          ; R2=8 R10=fp0 fp-8=mmmmmmmm\\n  4: (bf) r3 = r10                      ; R3=fp0 R10=fp0\\n  5: (0f) r3 += r2\\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\\n  mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\\n  mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\\n  mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0\\n  6: R2=8 R3=fp8\\n  6: (b7) r0 = 0                        ; R0=0\\n  7: (95) exit\\n\\nAfter:\\n\\n  0: (b7) r1 = 8                        ; R1=8\\n  1: (7b) *(u64 *)(r10 -8) = r1         ; R1=8 R10=fp0 fp-8=8\\n  2: (b7) r2 = 0                        ; R2=0\\n  3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)          ; R2=8 R10=fp0 fp-8=mmmmmmmm\\n  4: (bf) r3 = r10                      ; R3=fp0 R10=fp0\\n  5: (0f) r3 += r2\\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\\n  mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\\n  mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\\n  mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0\\n  mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1\\n  mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8\\n  6: R2=8 R3=fp8\\n  6: (b7) r0 = 0                        ; R0=0\\n  7: (95) exit\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/179ee84a89114b854ac2dd1d293633a7f6c8dac1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7ffbe45b1d227e24659998a91cfd4c27af457e71\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.