CVE-2026-53095
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix abuse of kprobe_write_ctx via freplace uprobe programs are allowed to modify struct pt_regs. Since the actual program type of uprobe is KPROBE, it can be abused to modify struct pt_regs via kprobe+freplace when the kprobe attaches to kernel functions. For example, SEC("?kprobe") int kprobe(struct pt_regs *regs) { return 0; } SEC("?freplace") int freplace_kprobe(struct pt_regs *regs) { regs->di = 0; return 0; } freplace_kprobe prog will attach to kprobe prog. kprobe prog will attach to a kernel function. Without this patch, when the kernel function runs, its first arg will always be set as 0 via the freplace_kprobe prog. To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow attaching freplace programs on kprobe programs with different kprobe_write_ctx values.
Affected versions
Linux kernel versions
6.18
and later are affected. Fixed in
6.18.33,
7.0.10,
7.1
and their respective stable series.
References
3 totalFrequently asked questions
-
What is CVE-2026-53095?
CVE-2026-53095 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.18 onward and has been patched in 6.18.33, 7.0.10 and 7.1. CVE-2026-53095 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
Is there a patch available for CVE-2026-53095?
Yes — CVE-2026-53095 has been patched. Fixed versions include 6.18.33, 7.0.10 and 7.1. If you are running Linux kernel 6.18 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2026-53095 actively exploited?
No — CVE-2026-53095 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.