Linux kernel BPF tcx/netkit unauthorized detach permission bypass

A local attacker with low privileges and no user interaction can bypass authorization checks and detach BPF programs from tcx or netkit devices. This can undermine networking policy enforcement or other security controls implemented through attached BPF programs, with resulting confidentiality impact reported as low and integrity and availability impact reported as high. Published scoring in the provided content lists CVSS v3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H.

No specific workaround is provided in the supplied content beyond applying the vendor fix. Until patched, restrict local shell and container access to trusted users, minimize exposure of BPF-related administrative interfaces, and ensure only appropriately privileged users can perform networking administration. Where operationally feasible, monitor for unexpected BPF program detach activity on tcx or netkit devices.

Update to a Linux kernel version containing the fix for CVE-2026-45932. The fix adds a capability check requiring CAP_NET_ADMIN or CAP_SYS_ADMIN for BPF_PROG_DETACH on tcx or netkit devices when no program file descriptor is supplied. In the provided vendor context, fixed SUSE package versions include, for example, SUSE Linux Enterprise Server 16.0 and openSUSE Leap 16.0 kernel packages at 6.12.0-160000.35.1 or later, SLE 15 SP6-LTSS kernel packages at 6.4.0-150600.23.118.1 or later, SLE Desktop 15 SP7 kernel packages at 6.4.0-150700.53.60.1 or later, and SUSE Linux Micro 6.0/6.1 kernel-default at 6.4.0-47.1 or later.