CVE-2026-43333 PUBLISHED

bpf: reject direct access to nullable PTR_TO_BUF pointers

Assigner: Linux
Reserved: 01.05.2026 Published: 08.05.2026 Updated: 08.05.2026

In the Linux kernel, the following vulnerability has been resolved:

bpf: reject direct access to nullable PTR_TO_BUF pointers

check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check.

Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference.

Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from b453361384c2db1c703dacb806d5fd36aec4ceca to 10bc4a4dcded509c5d5c67d497900c3922c604cd (excl.)
  • affected from 20b2aff4bc15bda809f994761d5719827d66c0b4 to 21a10c06ffae24cb01fd174a7ab7736001d2ea56 (excl.)
  • affected from 20b2aff4bc15bda809f994761d5719827d66c0b4 to 8755066f7bd0f4ac46a29d1708c7b20894539252 (excl.)
  • affected from 20b2aff4bc15bda809f994761d5719827d66c0b4 to 70abd9d118da2f56beb4ec22e3a29becae373535 (excl.)
  • affected from 20b2aff4bc15bda809f994761d5719827d66c0b4 to 63276547debc4d8a73eefb2c5273b2a905c961b0 (excl.)
  • affected from 20b2aff4bc15bda809f994761d5719827d66c0b4 to 4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09 (excl.)
  • affected from 20b2aff4bc15bda809f994761d5719827d66c0b4 to b0db1accbc7395657c2b79db59fa9fae0d6656f3 (excl.)
  • Version e982070f8970bb62e69ed7c9cafff886ed200349 is affected
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.17 is affected
  • unaffected from 0 to 5.17 (excl.)
  • unaffected from 5.15.203 to 5.15.* (incl.)
  • unaffected from 6.1.168 to 6.1.* (incl.)
  • unaffected from 6.6.134 to 6.6.* (incl.)
  • unaffected from 6.12.81 to 6.12.* (incl.)
  • unaffected from 6.18.22 to 6.18.* (incl.)
  • unaffected from 6.19.12 to 6.19.* (incl.)
  • unaffected from 7.0 to * (incl.)

References