Bug 2492288 (CVE-2026-53076) - CVE-2026-53076 kernel: bpf: Fix OOB in pcpu_init_value
Summary: CVE-2026-53076 kernel: bpf: Fix OOB in pcpu_init_value
Keywords:
Status: NEW
Alias: CVE-2026-53076
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 18:03 UTC by OSIDB Bzimport
Modified: 2026-06-25 15:34 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:03:26 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix OOB in pcpu_init_value

An out-of-bounds read occurs when copying element from a
BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the
same value_size that is not rounded up to 8 bytes.

The issue happens when:
1. A CGROUP_STORAGE map is created with value_size not aligned to
   8 bytes (e.g., 4 bytes)
2. A pcpu map is created with the same value_size (e.g., 4 bytes)
3. Update element in 2 with data in 1

pcpu_init_value assumes that all sources are rounded up to 8 bytes,
and invokes copy_map_value_long to make a data copy, However, the
assumption doesn't stand since there are some cases where the source
may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data.
the verifier verifies exactly the size that the source claims, not
the size rounded up to 8 bytes by kernel, an OOB happens when the
source has only 4 bytes while the copy size(4) is rounded up to 8.
Comment 1 Mauro Matteo Cascella 2026-06-25 15:32:27 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062405-CVE-2026-53076-65f3@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.