CVE-2026-43009
Published: 01 May 2026
Summary
CVE-2026-43009 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-43009 is a vulnerability in the Linux kernel's BPF verifier, specifically in the backtrack_insn function's handling of BPF_STX instructions with BPF_ATOMIC and BPF_FETCH modifiers. The issue arises because the verifier fails to properly track precision for the destination register (which receives the old memory value in atomic fetch operations like atomic64_fetch_add), treating it like a regular store. This prevents precision propagation to stack locations, causing the verifier's path pruning logic to incorrectly deem two states equivalent despite differing stack states, potentially allowing invalid BPF programs to pass verification.
A local attacker with low privileges (PR:L) can exploit this by submitting a specially crafted BPF program that leverages atomic fetch operations on stack memory. Successful exploitation bypasses verifier restrictions, enabling the program to be loaded and executed in kernel context, which could result in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) as scored by CVSS 3.1 (7.8/AV:L/AC:L/PR:L/UI:N/S:U). No user interaction is required, and the attack is straightforward given low attack complexity.
Mitigation involves applying kernel patches from the referenced stable commits: https://git.kernel.org/stable/c/179ee84a89114b854ac2dd1d293633a7f6c8dac1 and https://git.kernel.org/stable/c/7ffbe45b1d227e24659998a91cfd4c27af457e71. These extend BPF_LDX handling in backtrack_insn to cover atomic fetch operations via an is_atomic_fetch_insn helper, ensuring proper precision propagation to stack slots and preventing incorrect pruning. Security practitioners should update affected Linux kernels promptly, particularly those using eBPF extensively.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26608
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix incorrect pruning due to atomic fetch precision tracking When backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC and BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as…
more
a destination, thus receiving the old value from the memory location. The current backtracking logic does not account for this. It treats atomic fetch operations the same as regular stores where the src register is only an input. This leads the backtrack_insn to fail to propagate precision to the stack location, which is then not marked as precise! Later, the verifier's path pruning can incorrectly consider two states equivalent when they differ in terms of stack state. Meaning, two branches can be treated as equivalent and thus get pruned when they should not be seen as such. Fix it as follows: Extend the BPF_LDX handling in backtrack_insn to also cover atomic fetch operations via is_atomic_fetch_insn() helper. When the fetch dst register is being tracked for precision, clear it, and propagate precision over to the stack slot. For non-stack memory, the precision walk stops at the atomic instruction, same as regular BPF_LDX. This covers all fetch variants. Before: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit After: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0 mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1 mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the Linux kernel BPF verifier allows a local low-privileged attacker to bypass safety checks and load/execute arbitrary BPF programs in kernel context, directly enabling privilege escalation via exploitation of a software vulnerability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the Linux kernel to fix the BPF verifier's precision tracking flaw in atomic fetch operations, directly preventing invalid BPF programs from bypassing verification.
Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-43009's BPF verifier issue, enabling prioritization of remediation efforts.
Monitoring vendor security alerts and directives ensures awareness of the BPF verifier vulnerability, facilitating prompt patch deployment.