CVE-2026-53076 - Vulnerability Details

- bpf: Fix OOB in pcpu_init_value

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix OOB in pcpu_init_value

An out-of-bounds read occurs when copying element from a
BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the
same value_size that is not rounded up to 8 bytes.

The issue happens when:
1. A CGROUP_STORAGE map is created with value_size not aligned to
8 bytes (e.g., 4 bytes)
2. A pcpu map is created with the same value_size (e.g., 4 bytes)
3. Update element in 2 with data in 1

pcpu_init_value assumes that all sources are rounded up to 8 bytes,
and invokes copy_map_value_long to make a data copy, However, the
assumption doesn't stand since there are some cases where the source
may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data.
the verifier verifies exactly the size that the source claims, not
the size rounded up to 8 bytes by kernel, an OOB happens when the
source has only 4 bytes while the copy size(4) is rounded up to 8.

Published: 2026-06-24

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< e19c5ed9f1922a6854073f8651a63fa7be26e9e9
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< e0378419b0e20178b5d100b27c9cc7e51064202e
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< 6086079e6d1c32ba4c4b422612b8aebb1129a96c
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< 634a793d0e1c822412095d25a1338f8831ad894c
`d3bec0138bfbe58606fc1d6f57a4cdc1a20218db`	affected	< 576afddfee8d1108ee299bf10f581593540d1a36
`c602ad2b52dcbca5af08e5137bd5575c039b52e3`	affected	—
`ab68b940dd6f7b5f8e2557937162dcb8a0583a05`	affected	—
`5.4.78`	affected	< 5.5
`5.9.9`	affected	< 5.10

Linux

affected

Version	Status	Constraints
`5.10`	affected	—
`0`	unaffected	< 5.10
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[d3bec0138bfbe58606fc1d6f57a4cdc1a20218db,e19c5ed9f1922a6854073f8651a63fa7be26e9e9)`	affected	code_commit	—
`[d3bec0138bfbe58606fc1d6f57a4cdc1a20218db,e0378419b0e20178b5d100b27c9cc7e51064202e)`	affected	code_commit	—
`[d3bec0138bfbe58606fc1d6f57a4cdc1a20218db,6086079e6d1c32ba4c4b422612b8aebb1129a96c)`	affected	code_commit	—
`[d3bec0138bfbe58606fc1d6f57a4cdc1a20218db,634a793d0e1c822412095d25a1338f8831ad894c)`	affected	code_commit	—
`[d3bec0138bfbe58606fc1d6f57a4cdc1a20218db,576afddfee8d1108ee299bf10f581593540d1a36)`	affected	code_commit	—
`c602ad2b52dcbca5af08e5137bd5575c039b52e3`	affected	code_commit	—
`ab68b940dd6f7b5f8e2557937162dcb8a0583a05`	affected	code_commit	—
`[5.4.78,5.5)`	affected	semver	—
`[5.9.9,5.10)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.10`	affected	semver	—
`[0,5.10)`	unaffected	semver	—
`[6.6.141,6.6.*]`	unaffected	semver	—
`[6.12.91,6.12.*]`	unaffected	semver	—
`[6.18.33,6.18.*]`	unaffected	semver	—
`[7.0.10,7.0.*]`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00116.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/576afddfee8d1108ee299bf10f581593540d1a36
https://git.kernel.org/stable/c/6086079e6d1c32ba4c4b422612b8aebb1129a96c
https://git.kernel.org/stable/c/634a793d0e1c822412095d25a1338f8831ad894c
https://git.kernel.org/stable/c/e0378419b0e20178b5d100b27c9cc7e51064202e
https://git.kernel.org/stable/c/e19c5ed9f1922a6854073f8651a63fa7be26e9e9
https://lore.kernel.org/linux-cve-announce/2026062405-CVE-2026-53076-65f3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-53076
https://www.cve.org/CVERecord?id=CVE-2026-53076

History

Sun, 28 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}`

Fri, 26 Jun 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-22

Fri, 26 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-805
References		https://lore.kernel.org/linux-cve-announce/2026062405-CVE-2026-53076-65f3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-53076 https://www.cve.org/CVERecord?id=CVE-2026-53076
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 24 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-22

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix OOB in pcpu_init_value An out-of-bounds read occurs when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the same value_size that is not rounded up to 8 bytes. The issue happens when: 1. A CGROUP_STORAGE map is created with value_size not aligned to 8 bytes (e.g., 4 bytes) 2. A pcpu map is created with the same value_size (e.g., 4 bytes) 3. Update element in 2 with data in 1 pcpu_init_value assumes that all sources are rounded up to 8 bytes, and invokes copy_map_value_long to make a data copy, However, the assumption doesn't stand since there are some cases where the source may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data. the verifier verifies exactly the size that the source claims, not the size rounded up to 8 bytes by kernel, an OOB happens when the source has only 4 bytes while the copy size(4) is rounded up to 8.
Title		bpf: Fix OOB in pcpu_init_value
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/576afddfee8d1108ee299bf10f581593540d1a36 https://git.kernel.org/stable/c/6086079e6d1c32ba4c4b422612b8aebb1129a96c https://git.kernel.org/stable/c/634a793d0e1c822412095d25a1338f8831ad894c https://git.kernel.org/stable/c/e0378419b0e20178b5d100b27c9cc7e51064202e https://git.kernel.org/stable/c/e19c5ed9f1922a6854073f8651a63fa7be26e9e9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:17.092Z

Updated: 2026-06-28T06:39:01.404Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53076

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53076 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses

CWE-805

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object