GHSA-8mpp-jf4m-xx27unknown

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix abuse of...

Published
June 24, 2026
Last Modified
June 24, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix abuse of kprobe_write_ctx via freplace

uprobe programs are allowed to modify struct pt_regs.

Since the actual program type of uprobe is KPROBE, it can be abused to modify struct pt_regs via kprobe+freplace when the kprobe attaches to kernel functions.

For example,

SEC("?kprobe") int kprobe(struct pt_regs *regs) { return 0; }

SEC("?freplace") int freplace_kprobe(struct pt_regs *regs) { regs->di = 0; return 0; }

freplace_kprobe prog will attach to kprobe prog. kprobe prog will attach to a kernel function.

Without this patch, when the kernel function runs, its first arg will always be set as 0 via the freplace_kprobe prog.

To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow attaching freplace programs on kprobe programs with different kprobe_write_ctx values.

🔗 References (5)