{"api_version":"1","generated_at":"2026-06-25T09:05:58+00:00","cve":"CVE-2026-53090","urls":{"html":"https://cve.report/CVE-2026-53090","api":"https://cve.report/api/cve/CVE-2026-53090.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53090","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53090"},"summary":{"title":"bpf: Fix ld_{abs,ind} failure path analysis in subprogs","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix ld_{abs,ind} failure path analysis in subprogs\n\nUsage of ld_{abs,ind} instructions got extended into subprogs some time\nago via commit 09b28d76eac4 (\"bpf: Add abnormal return checks.\"). These\nare only allowed in subprograms when the latter are BTF annotated and\nhave scalar return types.\n\nThe code generator in bpf_gen_ld_abs() has an abnormal exit path (r0=0 +\nexit) from legacy cBPF times. While the enforcement is on scalar return\ntypes, the verifier must also simulate the path of abnormal exit if the\npacket data load via ld_{abs,ind} failed.\n\nThis is currently not the case. Fix it by having the verifier simulate\nboth success and failure paths, and extend it in similar ways as we do\nfor tail calls. The success path (r0=unknown, continue to next insn) is\npushed onto stack for later validation and the r0=0 and return to the\ncaller is done on the fall-through side.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 17:17:23","updated_at":"2026-06-24 17:17:23"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/ee861486e377edc55361c08dcbceab3f6b6577bd","name":"https://git.kernel.org/stable/c/ee861486e377edc55361c08dcbceab3f6b6577bd","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d846d83bdacbd8f14fc45c63b8c1d22608452e1c","name":"https://git.kernel.org/stable/c/d846d83bdacbd8f14fc45c63b8c1d22608452e1c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53090","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53090","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 09b28d76eac48e922dc293da1aa2b2b85c32aeee d846d83bdacbd8f14fc45c63b8c1d22608452e1c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 09b28d76eac48e922dc293da1aa2b2b85c32aeee ee861486e377edc55361c08dcbceab3f6b6577bd git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.10","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/bpf/verifier.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"d846d83bdacbd8f14fc45c63b8c1d22608452e1c","status":"affected","version":"09b28d76eac48e922dc293da1aa2b2b85c32aeee","versionType":"git"},{"lessThan":"ee861486e377edc55361c08dcbceab3f6b6577bd","status":"affected","version":"09b28d76eac48e922dc293da1aa2b2b85c32aeee","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["kernel/bpf/verifier.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.10"},{"lessThan":"5.10","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix ld_{abs,ind} failure path analysis in subprogs\n\nUsage of ld_{abs,ind} instructions got extended into subprogs some time\nago via commit 09b28d76eac4 (\"bpf: Add abnormal return checks.\"). These\nare only allowed in subprograms when the latter are BTF annotated and\nhave scalar return types.\n\nThe code generator in bpf_gen_ld_abs() has an abnormal exit path (r0=0 +\nexit) from legacy cBPF times. While the enforcement is on scalar return\ntypes, the verifier must also simulate the path of abnormal exit if the\npacket data load via ld_{abs,ind} failed.\n\nThis is currently not the case. Fix it by having the verifier simulate\nboth success and failure paths, and extend it in similar ways as we do\nfor tail calls. The success path (r0=unknown, continue to next insn) is\npushed onto stack for later validation and the r0=0 and return to the\ncaller is done on the fall-through side."}],"providerMetadata":{"dateUpdated":"2026-06-24T16:30:29.413Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/d846d83bdacbd8f14fc45c63b8c1d22608452e1c"},{"url":"https://git.kernel.org/stable/c/ee861486e377edc55361c08dcbceab3f6b6577bd"}],"title":"bpf: Fix ld_{abs,ind} failure path analysis in subprogs","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53090","datePublished":"2026-06-24T16:30:29.413Z","dateReserved":"2026-06-09T07:44:35.384Z","dateUpdated":"2026-06-24T16:30:29.413Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:17:23","lastModifiedDate":"2026-06-24 17:17:23","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53090","Ordinal":"1","Title":"bpf: Fix ld_{abs,ind} failure path analysis in subprogs","CVE":"CVE-2026-53090","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53090","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix ld_{abs,ind} failure path analysis in subprogs\n\nUsage of ld_{abs,ind} instructions got extended into subprogs some time\nago via commit 09b28d76eac4 (\"bpf: Add abnormal return checks.\"). These\nare only allowed in subprograms when the latter are BTF annotated and\nhave scalar return types.\n\nThe code generator in bpf_gen_ld_abs() has an abnormal exit path (r0=0 +\nexit) from legacy cBPF times. While the enforcement is on scalar return\ntypes, the verifier must also simulate the path of abnormal exit if the\npacket data load via ld_{abs,ind} failed.\n\nThis is currently not the case. Fix it by having the verifier simulate\nboth success and failure paths, and extend it in similar ways as we do\nfor tail calls. The success path (r0=unknown, continue to next insn) is\npushed onto stack for later validation and the r0=0 and return to the\ncaller is done on the fall-through side.","Type":"Description","Title":"bpf: Fix ld_{abs,ind} failure path analysis in subprogs"}]}}}