Medium

Linux kernel BPF nullable PTR_TO_BUF NULL dereference

IdentifiersCVE-2026-43333CWE-476· NULL Pointer Dereference

A vulnerability in the Linux kernel BPF verifier allowed direct memory access checks on nullable PTR_TO_BUF pointers without enforcing a prior NULL check. The flaw is in check_mem_access(), which matches PTR_TO_BUF via base_type(); this strips the PTR_MAYBE_NULL qualifier and incorrectly permits direct dereference of pointers that may be NULL. In the map iterator context, ctx->key and ctx->value are typed as PTR_TO_BUF | PTR_MAYBE_NULL, and during stop callbacks these pointers can legitimately be NULL. As a result, direct access to these fields could trigger a kernel NULL pointer dereference. The fix adds a type_may_be_null() guard to the PTR_TO_BUF handling path, aligning it with the existing PTR_TO_BTF_ID validation pattern.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause a kernel NULL pointer dereference, leading to a kernel crash or denial of service. Available scoring and vendor context indicate the primary impact is on availability rather than confidentiality or integrity.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting untrusted local access to systems capable of loading or exercising BPF functionality, and minimize availability of affected BPF map iterator paths to untrusted users. Because the issue is local and no user interaction is required, limiting local code execution opportunities and tightening BPF-related privileges can reduce risk, but patching is the definitive mitigation.

Remediation

Patch, then assume compromise.

Apply a kernel update that includes the BPF fix rejecting direct access to nullable PTR_TO_BUF pointers. The upstream remediation adds a type_may_be_null() guard in check_mem_access() for the PTR_TO_BUF branch. Vendor-fixed builds referenced in the provided content include SUSE kernel packages such as kernel-default 6.4.0-150700.53.60.1 for SLE 15 SP7 lines and kernel-default 6.12.0-160000.34.1 for SLE 16.0, SUSE Linux Micro 6.2, and openSUSE Leap 16.0, depending on product.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

bugzilla suseNews

Jun 26, 2026

1258538 - Enable Rust for Tumbleweed kernel

Referenced as one of many vulnerabilities solved by SUSE security updates; no technical details provided in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-43333

NVD

nvd.nist.gov/vuln/detail/CVE-2026-43333

MITRE CWE · CWE-476

NULL Pointer Dereference

Patch

git.kernel.org/stable/c/10bc4a4dcded509c5d5c67d497900c3922c604cd

Patch

git.kernel.org/stable/c/21a10c06ffae24cb01fd174a7ab7736001d2ea56

Patch

git.kernel.org/stable/c/4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09

Patch

git.kernel.org/stable/c/63276547debc4d8a73eefb2c5273b2a905c961b0

Patch

git.kernel.org/stable/c/70abd9d118da2f56beb4ec22e3a29becae373535

Patch

git.kernel.org/stable/c/8755066f7bd0f4ac46a29d1708c7b20894539252

Patch

git.kernel.org/stable/c/b0db1accbc7395657c2b79db59fa9fae0d6656f3