GHSA-vwfw-86r9-43wpunknown

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in...

Published
June 24, 2026
Last Modified
June 24, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix NULL deref in map_kptr_match_type for scalar regs

Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr") refactored map_kptr_match_type() to branch on btf_is_kernel() before checking base_type(). A scalar register stored into a kptr slot has no btf, so the btf_is_kernel(reg->btf) call dereferences NULL.

Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf access.

🔗 References (7)