Bug 2492291 (CVE-2026-53095) - CVE-2026-53095 kernel: bpf: Fix abuse of kprobe_write_ctx via freplace
Summary: CVE-2026-53095 kernel: bpf: Fix abuse of kprobe_write_ctx via freplace
Keywords:
Status: NEW
Alias: CVE-2026-53095
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 18:03 UTC by OSIDB Bzimport
Modified: 2026-06-25 10:10 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:03:43 UTC
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix abuse of kprobe_write_ctx via freplace

uprobe programs are allowed to modify struct pt_regs.

Since the actual program type of uprobe is KPROBE, it can be abused to
modify struct pt_regs via kprobe+freplace when the kprobe attaches to
kernel functions.

For example,

SEC("?kprobe")
int kprobe(struct pt_regs *regs)
{
	return 0;
}

SEC("?freplace")
int freplace_kprobe(struct pt_regs *regs)
{
	regs->di = 0;
	return 0;
}

freplace_kprobe prog will attach to kprobe prog.
kprobe prog will attach to a kernel function.

Without this patch, when the kernel function runs, its first arg will
always be set as 0 via the freplace_kprobe prog.

To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
attaching freplace programs on kprobe programs with different
kprobe_write_ctx values.

Comment 1 Mauro Matteo Cascella 2026-06-24 19:41:36 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062410-CVE-2026-53095-5229@gregkh/T


Note You need to log in before you can comment on or make changes to this bug.