CVE-2026-43009
- Source
- https://cve.org/CVERecord?id=CVE-2026-43009
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43009.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-43009
- Downstream
- Related
- Published
- 2026-05-01T14:15:16.271Z
- Modified
- 2026-06-04T09:14:24.345648870Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- bpf: Fix incorrect pruning due to atomic fetch precision tracking
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix incorrect pruning due to atomic fetch precision tracking
When backtrackinsn encounters a BPFSTX instruction with BPFATOMIC and BPFFETCH, the src register (or r0 for BPF_CMPXCHG) also acts as a destination, thus receiving the old value from the memory location.
The current backtracking logic does not account for this. It treats atomic fetch operations the same as regular stores where the src register is only an input. This leads the backtrack_insn to fail to propagate precision to the stack location, which is then not marked as precise!
Later, the verifier's path pruning can incorrectly consider two states equivalent when they differ in terms of stack state. Meaning, two branches can be treated as equivalent and thus get pruned when they should not be seen as such.
Fix it as follows: Extend the BPFLDX handling in backtrackinsn to also cover atomic fetch operations via isatomicfetchinsn() helper. When the fetch dst register is being tracked for precision, clear it, and propagate precision over to the stack slot. For non-stack memory, the precision walk stops at the atomic instruction, same as regular BPFLDX. This covers all fetch variants.
Before:
0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64fetchadd((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 markprecise: frame0: lastidx 5 firstidx 0 subseqidx -1 markprecise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 markprecise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64fetchadd((u64 *)(r10 -8), r2) mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit
After:
0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64fetchadd((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 markprecise: frame0: lastidx 5 firstidx 0 subseqidx -1 markprecise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 markprecise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64fetchadd((u64 *)(r10 -8), r2) markprecise: frame0: regs= stack=-8 before 2: (b7) r2 = 0 markprecise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1 mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43009.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/179ee84a89114b854ac2dd1d293633a7f6c8dac1
- https://git.kernel.org/stable/c/7ffbe45b1d227e24659998a91cfd4c27af457e71
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43009.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-43009
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git