{"api_version":"1","generated_at":"2026-05-13T07:40:17+00:00","cve":"CVE-2026-43306","urls":{"html":"https://cve.report/CVE-2026-43306","api":"https://cve.report/api/cve/CVE-2026-43306.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43306","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43306"},"summary":{"title":"bpf: crypto: Use the correct destructor kfunc type","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: crypto: Use the correct destructor kfunc type\n\nWith CONFIG_CFI enabled, the kernel strictly enforces that indirect\nfunction calls use a function pointer type that matches the target\nfunction. I ran into the following type mismatch when running BPF\nself-tests:\n\n  CFI failure at bpf_obj_free_fields+0x190/0x238 (target:\n    bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)\n  Internal error: Oops - CFI: 00000000f2008228 [#1]  SMP\n  ...\n\nAs bpf_crypto_ctx_release() is also used in BPF programs and using\na void pointer as the argument would make the verifier unhappy, add\na simple stub function with the correct type and register it as the\ndestructor kfunc instead.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-08 14:16:37","updated_at":"2026-05-12 14:10:27"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/3979a550fe06b370d73647f59cf462fa525c9ec4","name":"https://git.kernel.org/stable/c/3979a550fe06b370d73647f59cf462fa525c9ec4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4e3e57dbf46dad3498f8c4219ce2dba756875962","name":"https://git.kernel.org/stable/c/4e3e57dbf46dad3498f8c4219ce2dba756875962","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b40a5d724f29fc2eed23ff353808a9aae616b48a","name":"https://git.kernel.org/stable/c/b40a5d724f29fc2eed23ff353808a9aae616b48a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/50d6fd69388cc7b05dce72f09080674dcede4ac9","name":"https://git.kernel.org/stable/c/50d6fd69388cc7b05dce72f09080674dcede4ac9","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43306","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43306","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3e1c6f35409f9e447bf37f64840f5b65576bfb78 4e3e57dbf46dad3498f8c4219ce2dba756875962 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3e1c6f35409f9e447bf37f64840f5b65576bfb78 50d6fd69388cc7b05dce72f09080674dcede4ac9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3e1c6f35409f9e447bf37f64840f5b65576bfb78 3979a550fe06b370d73647f59cf462fa525c9ec4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3e1c6f35409f9e447bf37f64840f5b65576bfb78 b40a5d724f29fc2eed23ff353808a9aae616b48a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.10","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.10 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.16 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.6 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43306","cve":"CVE-2026-43306","epss":"0.000180000","percentile":"0.047270000","score_date":"2026-05-12","updated_at":"2026-05-13 00:11:53"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/bpf/crypto.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"4e3e57dbf46dad3498f8c4219ce2dba756875962","status":"affected","version":"3e1c6f35409f9e447bf37f64840f5b65576bfb78","versionType":"git"},{"lessThan":"50d6fd69388cc7b05dce72f09080674dcede4ac9","status":"affected","version":"3e1c6f35409f9e447bf37f64840f5b65576bfb78","versionType":"git"},{"lessThan":"3979a550fe06b370d73647f59cf462fa525c9ec4","status":"affected","version":"3e1c6f35409f9e447bf37f64840f5b65576bfb78","versionType":"git"},{"lessThan":"b40a5d724f29fc2eed23ff353808a9aae616b48a","status":"affected","version":"3e1c6f35409f9e447bf37f64840f5b65576bfb78","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["kernel/bpf/crypto.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.10"},{"lessThan":"6.10","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.16","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","versionStartIncluding":"6.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.16","versionStartIncluding":"6.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.6","versionStartIncluding":"6.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: crypto: Use the correct destructor kfunc type\n\nWith CONFIG_CFI enabled, the kernel strictly enforces that indirect\nfunction calls use a function pointer type that matches the target\nfunction. I ran into the following type mismatch when running BPF\nself-tests:\n\n  CFI failure at bpf_obj_free_fields+0x190/0x238 (target:\n    bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)\n  Internal error: Oops - CFI: 00000000f2008228 [#1]  SMP\n  ...\n\nAs bpf_crypto_ctx_release() is also used in BPF programs and using\na void pointer as the argument would make the verifier unhappy, add\na simple stub function with the correct type and register it as the\ndestructor kfunc instead."}],"providerMetadata":{"dateUpdated":"2026-05-11T22:22:00.468Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/4e3e57dbf46dad3498f8c4219ce2dba756875962"},{"url":"https://git.kernel.org/stable/c/50d6fd69388cc7b05dce72f09080674dcede4ac9"},{"url":"https://git.kernel.org/stable/c/3979a550fe06b370d73647f59cf462fa525c9ec4"},{"url":"https://git.kernel.org/stable/c/b40a5d724f29fc2eed23ff353808a9aae616b48a"}],"title":"bpf: crypto: Use the correct destructor kfunc type","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43306","datePublished":"2026-05-08T13:11:25.624Z","dateReserved":"2026-05-01T14:12:56.000Z","dateUpdated":"2026-05-11T22:22:00.468Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 14:16:37","lastModifiedDate":"2026-05-12 14:10:27","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43306","Ordinal":"1","Title":"bpf: crypto: Use the correct destructor kfunc type","CVE":"CVE-2026-43306","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43306","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: crypto: Use the correct destructor kfunc type\n\nWith CONFIG_CFI enabled, the kernel strictly enforces that indirect\nfunction calls use a function pointer type that matches the target\nfunction. I ran into the following type mismatch when running BPF\nself-tests:\n\n  CFI failure at bpf_obj_free_fields+0x190/0x238 (target:\n    bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)\n  Internal error: Oops - CFI: 00000000f2008228 [#1]  SMP\n  ...\n\nAs bpf_crypto_ctx_release() is also used in BPF programs and using\na void pointer as the argument would make the verifier unhappy, add\na simple stub function with the correct type and register it as the\ndestructor kfunc instead.","Type":"Description","Title":"bpf: crypto: Use the correct destructor kfunc type"}]}}}