What is GHSA-vc3m-hcq5-8vhr?

GHSA-vc3m-hcq5-8vhr is a security advisory published by GitHub Security Advisories with High severity. In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for...

Which CVE IDs does GHSA-vc3m-hcq5-8vhr cover?

GHSA-vc3m-hcq5-8vhr covers the following CVE IDs: CVE-2026-43070. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-vc3m-hcq5-8vhr?

GHSA-vc3m-hcq5-8vhr has a CVSS v3 base score of 7.8, published by GitHub Security Advisories.

GHSA-vc3m-hcq5-8vhrHighCVSS 7.8

In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for...

Vendor

GitHub Security Advisories

Published

May 5, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-43070 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reset register ID for BPF_END value tracking

When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an r1 = r0 assignment), this tie must be broken.

Currently, the verifier misses resetting dst_reg->id to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses.

Fix this by explicitly resetting dst_reg->id to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via __mark_reg_known.

🔗 CVE IDs covered (1)

📋 Description

🔗 References (5)