What is CVE-2026-45933?

CVE-2026-45933 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10, affecting Linux kernel versions from 6.11 onward and patched in 6.12.75, 6.18.14, 6.19.4 and others. CVE-2026-45933 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-45933?

CVE-2026-45933 has a CVSS score of 7.8 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Is there a patch available for CVE-2026-45933?

Yes, CVE-2026-45933 has been patched. Fixed versions include 6.12.75, 6.18.14, 6.19.4 and others. If you are running Linux kernel 6.11 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-45933 actively exploited?

CVE-2026-45933 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-45933

High

In the Linux kernel, the following vulnerability has been resolved: bpf: Preserve id of register in sync_linked_regs() sync_linked_regs() copies the id of known_reg to reg when propagating bounds of known_reg to reg using the off of known_reg, but when known_reg was linked to reg like: known_reg = reg ; both known_reg and reg get same id known_reg += 4 ; known_reg gets off = 4, and its id gets BPF_ADD_CONST now when a call to sync_linked_regs() happens, let's say with the following: if known_reg >= 10 goto pc+2 known_reg's new bounds are propagated to reg but now reg gets BPF_ADD_CONST from the copy. This means if another link to reg is created like: another_reg = reg ; another_reg should get the id of reg but assign_scalar_id_before_mov() sees BPF_ADD_CONST on reg and assigns a new id to it. As reg has a new id now, known_reg's link to reg is broken. If we find new bounds for known_reg, they will not be propagated to reg. This can be seen in the selftest added in the next commit: 0: (85) call bpf_get_prandom_u32#7 ; R0=scalar() 1: (57) r0 &= 255 ; R0=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) 2: (bf) r1 = r0 ; R0=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R1=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) 3: (07) r1 += 4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=4,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff)) 4: (a5) if r1 < 0xa goto pc+4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=10,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff)) 5: (bf) r2 = r0 ; R0=scalar(id=2,smin=umin=smin32=umin32=6,smax=umax=smax32=umax32=255) R2=scalar(id=2,smin=umin=smin32=umin32=6,smax=umax=smax32=umax32=255) 6: (a5) if r1 < 0xe goto pc+2 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=14,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff)) 7: (35) if r0 >= 0xa goto pc+1 ; R0=scalar(id=2,smin=umin=smin32=umin32=6,smax=umax=smax32=umax32=9,var_off=(0x0; 0xf)) 8: (37) r0 /= 0 div by zero When 4 is verified, r1's bounds are propagated to r0 but r0 also gets BPF_ADD_CONST (bug). When 5 is verified, r0 gets a new id (2) and its link with r1 is broken. After 6 we know r1 has bounds [14, 259] and therefore r0 should have bounds [10, 255], therefore the branch at 7 is always taken. But because r0's id was changed to 2, r1's new bounds are not propagated to r0. The verifier still thinks r0 has bounds [6, 255] before 7 and execution can reach div by zero. Fix this by preserving id in sync_linked_regs() like off and subreg_def.

Package Linux Kernel

Published 2026-05-27

Last modified 2026-05-30

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

7.8

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected versions

Linux kernel versions 6.11 and later are affected. Fixed in 6.12.75, 6.18.14, 6.19.4, 7.0 and their respective stable series.

Affected from

≥ 6.11

Fixed in

✓ 6.12.75 6.12.x ✓ 6.18.14 6.18.x ✓ 6.19.4 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-45933 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/58059335e46537de682db84984f7716c813208c4
Patch
Kernel patch commit
https://git.kernel.org/stable/c/65d114b5270b62aefb820ecd6c3b7caeea8f895d
Patch
Kernel patch commit
https://git.kernel.org/stable/c/92a8cb1806adefb263cf096eab6705705cf7eee1
Patch

4 patch commits total View all on NVD

Details

CVE ID CVE-2026-45933

Severity High

CVSS score 7.8 / 10

CVSS version 3.1

Published 2026-05-27

Modified 2026-05-30

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2026-45933?

CVE-2026-45933 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 . It affects Linux kernel versions from 6.11 onward and has been patched in 6.12.75, 6.18.14, 6.19.4 and others. CVE-2026-45933 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2026-45933?

CVE-2026-45933 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Is there a patch available for CVE-2026-45933?

Yes — CVE-2026-45933 has been patched. Fixed versions include 6.12.75, 6.18.14, 6.19.4 and others. If you are running Linux kernel 6.11 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-45933 actively exploited?

No — CVE-2026-45933 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.