High

Linux kernel BPF regsafe() packet pointer state validation flaw

IdentifiersCVE-2026-43030CWE-670

CVE-2026-43030 is a vulnerability in the Linux kernel BPF verifier logic, fixed by the change described as "bpf: Fix regsafe() for pointers to packet." The flaw is in regsafe() handling of packet-pointer register state comparisons. Specifically, when the old register state has rold->reg->range == BEYOND_PKT_END and the current register state has rcur->reg->range == N, regsafe() may incorrectly return true. This can cause the verifier to treat distinct states as equivalent and skip exploration of a current state that actually has a valid packet range. The issue is therefore a logic error in BPF verifier state-safety analysis for pointers to packet.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can undermine the correctness of BPF verifier analysis, potentially allowing unsafe BPF program states involving packet pointers to be accepted or valid states to be mishandled. According to the provided scoring, the vulnerability is locally exploitable with low privileges and no user interaction, and may have high impact on confidentiality, integrity, and availability under the Linux Kernel CNA/NVD assessment. The precise downstream exploitation path beyond verifier state confusion is not specified in the provided content.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting untrusted local users from loading or interacting with BPF functionality, and disable or tightly control unprivileged BPF use where supported by system policy. Because the issue is local and tied to BPF verifier behavior, limiting access to BPF program loading and minimizing local privilege exposure can reduce risk until patched. Specific temporary mitigations beyond access restriction are not provided in the content.

Remediation

Patch, then assume compromise.

Apply a Linux kernel version containing the fix for "bpf: Fix regsafe() for pointers to packet." In the provided vendor context, SUSE lists fixed packages including kernel-default 6.4.0-150700.53.60.1 or later for SLE 15 SP7, kernel-default 6.12.0-160000.35.1 or later for SLE 16.0/openSUSE Leap 16.0 class packages, and kernel-default 6.4.0-47.1 or later for certain SUSE Linux Micro releases. Use the vendor-provided updated kernel packages for the affected distribution and reboot after installation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

bugzilla suseNews

Jun 26, 2026

1258538 - Enable Rust for Tumbleweed kernel

Referenced as one of many vulnerabilities solved by SUSE security updates; no technical details provided in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-43030

NVD

nvd.nist.gov/vuln/detail/CVE-2026-43030

MITRE CWE · CWE-670

cwe.mitre.org

Patch

git.kernel.org/stable/c/015a74476dc1ab6923d89f1ee009aaf43faa7185

Patch

git.kernel.org/stable/c/37db6b9726d0bcf91cbdf9d63b558c50da49f968

Patch

git.kernel.org/stable/c/7241da033fdc507b920e092dab1f97b945cb0370

Patch

git.kernel.org/stable/c/8aebe18069394f4a79d2d82080a0f806da449996

Patch

git.kernel.org/stable/c/a8502a79e832b861e99218cbd2d8f4312d62e225

Patch

git.kernel.org/stable/c/b52f6d0ef7b308f9d05bbddb78749852f28e8e40

Patch

git.kernel.org/stable/c/b99d82706bd1511bb875e3de7154698fd9215c99

Patch

git.kernel.org/stable/c/ca995b1462ec6db1e869100ba1fb7356bd3f22f0