SUSE Ships Broad Linux Kernel BPF Fixes for Local DoS and Privilege Bypass Flaws
SUSE has released a broad set of Linux kernel security updates addressing numerous BPF subsystem vulnerabilities that could be exploited locally with low privileges, including a permission-bypass flaw in BPF_PROG_DETACH on tcx and netkit devices tracked as CVE-2026-45932. That issue allowed unauthorized detachment of BPF programs when no program file descriptor was supplied, and was fixed by enforcing CAP_NET_ADMIN or CAP_SYS_ADMIN checks. Other patched flaws include verifier errors such as CVE-2026-43009 and CVE-2026-43030, a use-after-free in bpf_trampoline_link_cgroup_shim (CVE-2026-23319), an out-of-bounds write in devmap upper-device enumeration (CVE-2026-23359), and a nullable pointer dereference bug in map iterator callbacks (CVE-2026-43333).
The updates also cover earlier BPF and tcp_bpf issues that could crash the kernel or degrade availability, including ring buffer and verifier races, stackmap overflow handling, tail-call compatibility checks, invalid prog->stats access in cgroup BPF paths, and JIT constant-blinding gaps such as CVE-2026-23417. SUSE marked many fixes as released across SLES 15 SP7, SLES 16.0, SUSE Linux Micro 6.x, and openSUSE Leap 16.0, with advisories also listing remediated public cloud images for AWS, Azure, Google Cloud, and Alibaba in several cases. Some branches, including parts of SLES 16.1, older LTSS releases, and selected kernel-source variants, remain affected or in progress depending on product lifecycle and package line.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
SUSE updates CVE-2026-43030 page
SUSE last modified its CVE-2026-43030 page, updating tracking details for the Linux kernel BPF regsafe() vulnerability.
SUSE updates CVE-2026-43009 page
SUSE last modified its CVE-2026-43009 page, updating vendor tracking information for the Linux kernel BPF verifier vulnerability.
SUSE publishes advisories and fixes for CVE-2026-43030
SUSE published multiple advisories and released fixes across numerous SUSE Linux Enterprise, SUSE Linux Micro, and openSUSE Leap 16.0 packages for CVE-2026-43030.
SUSE publishes advisories and fixes for CVE-2026-45932
SUSE published multiple advisories and fixed package versions across numerous SUSE Linux Enterprise, SUSE Linux Micro, and openSUSE products for CVE-2026-45932, a BPF program detachment permission bypass affecting tcx and netkit devices.
SUSE updates CVE-2025-68378 page
SUSE last modified its CVE-2025-68378 page, reflecting updated tracking information for the Linux kernel BPF stackmap overflow issue in __bpf_get_stackid().
SUSE publishes advisories and fixes for CVE-2026-43333
SUSE published multiple advisories and released fixes across supported products for CVE-2026-43333, which involved nullable PTR_TO_BUF pointers being directly dereferenced in the Linux kernel BPF subsystem.
SUSE publishes advisories and fixes for CVE-2026-23359
SUSE published multiple advisories and released fixes across numerous SUSE Linux Enterprise, SUSE Linux Micro, and openSUSE products for CVE-2026-23359, a BPF devmap stack out-of-bounds write issue.
SUSE publishes bugzilla entry for CVE-2025-68742 fix
SUSE published Bugzilla entry 1255707 documenting CVE-2025-68742, identifying upstream fixing commit 7dc211c1159d and noting backports to SL-16.0 and fixes/linux-6.4.
SUSE publishes fixes for CVE-2026-43009 across supported products
SUSE published multiple advisories and released fixes across supported products including SLES 15 SP7, SLES 16.0, SLE Micro 6.x, and openSUSE Leap 16.0 for CVE-2026-43009.
SUSE publishes advisories and fixes for CVE-2026-23417
On 2026-05-28, SUSE published multiple advisories and released fixes for CVE-2026-23417 affecting the Linux kernel BPF subsystem's constant blinding for PROBE_MEM32 stores during JIT compilation.
SUSE creates CVE-2026-43030 tracking page
SUSE's CVE page for CVE-2026-43030 was created to track the Linux kernel BPF regsafe() flaw affecting pointers to packet handling.
SUSE creates CVE-2026-43009 tracking page
SUSE's CVE page for CVE-2026-43009 was created, beginning vendor tracking for the Linux kernel BPF verifier flaw involving incorrect pruning from atomic fetch precision tracking.
SUSE publishes advisories and fixes for CVE-2026-23319
SUSE published multiple advisories in April 2026 and released fixes across many SLES, SLE Micro, openSUSE Leap 16.0, and related kernel packages for CVE-2026-23319, a BPF use-after-free issue in bpf_trampoline_link_cgroup_shim.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
19 references tracked. Mallory keeps watching after this page renders.
CVE-2026-43030 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceCVE-2026-45932 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceCVE-2026-43333 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceCVE-2026-23359 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceCVE-2025-68744 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceCVE-2025-68378 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceCVE-2025-40319 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceCVE-2023-54173 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SUSE Ships Linux Kernel Fixes for Netfilter and RDS Flaws
SUSE released security updates for multiple Linux kernel vulnerabilities affecting the `netfilter` and RDS networking subsystems, including **CVE-2026-23412**, **CVE-2026-23278**, and **CVE-2026-23419**. The most severe issues were rated **Important** and include a `netfilter`/BPF use-after-free bug in `nfnetlink_hooks` that could occur when hooks were dumped concurrently, and an `nf_tables` transaction-processing flaw that failed to walk all pending catchall elements during map removal, leading to kernel warnings and improper cleanup. SUSE said the `CVE-2026-23412` fix defers hook memory release until RCU readers complete, while `CVE-2026-23278` addresses cleanup handling involving `nft_data_release` and `nf_tables_abort`. SUSE also resolved **CVE-2026-23419**, a moderate-severity Linux kernel bug in `rds_tcp_tune()` caused by a circular locking dependency that could affect system availability; the fix moves `sk_net_refcnt_upgrade()` outside the socket-lock critical section. The updates were issued across a broad range of products, including **SLES 15 SP6/SP7**, **SLES 16.0**, **SLE Micro**, **SUSE Linux Micro 6.x**, **openSUSE Leap 15.6/16.0**, live patching, real-time kernels, and public cloud images, although some package branches such as certain `kernel-source-azure`, RT source, and newer 16.x components remained marked affected, unsupported, or in progress on SUSE tracking pages and Bugzilla.
Jun 4, 2026
SUSE fixes Linux kernel arm64 BPF JIT flaw that could redirect execution
SUSE has released kernel updates for **CVE-2026-23383**, an arm64 Linux kernel flaw in the BPF JIT implementation that can leave the `struct bpf_plt` 64-bit `target` field misaligned. The bug stems from allocating the JIT buffer with only 4-byte alignment, which can trigger UBSAN misaligned-access warnings and, under concurrent `WRITE_ONCE()` updates in `bpf_arch_text_poke()`, cause atomic tearing that may send JIT execution to a corrupted address. The upstream fix changes `bpf_jit_binary_pack_alloc()` to enforce 8-byte alignment; SUSE’s bug tracker links the remediation to commit `ef06fd16d4870` and notes backports into supported kernel branches. SUSE rates the issue **moderate**, while published scoring shows a higher **CVSS v3 7.8** from NVD/Linux Kernel CNA and **5.5** from SUSE. The vendor says fixes have been shipped through multiple advisories affecting **SUSE Linux Enterprise Server 16.0**, **SLE 15 SP7** live patching and real-time kernels, **SUSE Linux Micro 6.0/6.1/6.2**, and **openSUSE Leap 16.0**, although package status varies by product lifecycle. A separate SUSE kernel bulletin published alongside this issue also addressed **CVE-2026-23304**, a local IPv6/VRF NULL-pointer dereference that can cause denial of service in `ip6_rt_get_dev_rcu()` when a slave device is detached from a VRF.
Jun 4, 2026
SUSE fixes Linux kernel BPF race condition tracked as CVE-2023-54283
SUSE has released fixes for **CVE-2023-54283**, a Linux kernel flaw in the **BPF** subsystem caused by a KCSAN-reported data race involving `bpf_lru_list` access to `node->ref`. The issue was observed during concurrent activity between `__bpf_lru_list_rotate` and `__htab_lru_percpu_map_update_elem` in syzkaller testing, and SUSE rates it **moderate severity** with a **CVSS v3.1 score of 5.8**. The vulnerability requires **local access**, **low privileges**, and **high attack complexity**. The fix replaces `data_race()` usage with `READ_ONCE()` and `WRITE_ONCE()` patterns and introduces the helper `bpf_lru_node_clear_ref()` to safely clear the reference flag. SUSE says patches have been shipped through multiple advisories covering products including **SLES 15 SP6-LTSS**, **SLES 15 SP7**, **SUSE Linux Micro 6.0/6.1**, **openSUSE Leap 15.6**, Public Cloud Module builds, and live patching variants, while some newer product lines are marked not affected and several older lines remain affected or unsupported.
Jun 27, 2026