CVE-2026-43306 Overview
CVE-2026-43306 is a Linux kernel vulnerability in the Berkeley Packet Filter (BPF) crypto subsystem. The flaw stems from an incorrect destructor kfunc type registration for bpf_crypto_ctx_release(). On kernels built with Control Flow Integrity (CONFIG_CFI) enabled, the type mismatch triggers a CFI failure when bpf_obj_free_fields() performs an indirect call to the destructor. This results in a kernel oops and denial of service on affected systems.
Critical Impact
A local, low-privileged user able to load BPF programs that reference crypto context objects can trigger a CFI violation, causing kernel panic and host-wide denial of service on CFI-enabled Linux builds.
Affected Products
- Linux Kernel (mainline branches containing the BPF crypto kfunc registration)
- Linux distributions shipping kernels built with CONFIG_CFI_CLANG
- Stable kernel trees prior to the commits listed in the kernel.org advisories
Discovery Timeline
- 2026-05-08 - CVE-2026-43306 published to the National Vulnerability Database
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43306
Vulnerability Analysis
The vulnerability resides in the BPF crypto subsystem of the Linux kernel. The kernel registers bpf_crypto_ctx_release() as the destructor kfunc for BPF crypto context objects. The function signature does not match the type expected by the indirect call site inside bpf_obj_free_fields().
When CONFIG_CFI is active, the kernel validates that the function pointer type at every indirect call matches the target function's declared type. The mismatch produces a CFI failure of the form CFI failure at bpf_obj_free_fields+0x190/0x238 (target: bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc), followed by an Internal error: Oops - CFI and kernel panic.
The fix introduces a thin stub function with the correct destructor signature and registers it as the kfunc instead. The original bpf_crypto_ctx_release() retains its void * parameter so BPF program verification still succeeds [CWE-NVD-CWE-noinfo].
Root Cause
The destructor kfunc registration used a function whose type signature accepted a typed pointer argument, while the BPF runtime invokes destructors through a pointer expecting a generic object argument. The CFI hash for the call site (0xa488ebfc) did not match the hash computed for bpf_crypto_ctx_release, so the integrity check aborted execution.
Attack Vector
Exploitation requires local access and the ability to load or attach BPF programs that allocate and release crypto context objects. This typically requires CAP_BPF or CAP_SYS_ADMIN, though unprivileged BPF may be available on some configurations. The triggered oops halts kernel execution paths and can crash the host, producing a denial-of-service condition.
No public proof-of-concept exploit is listed in the advisory, and the issue is not present on the CISA Known Exploited Vulnerabilities list. The EPSS data records an exploitation probability of 0.013%.
Detection Methods for CVE-2026-43306
Indicators of Compromise
- Kernel log entries containing CFI failure at bpf_obj_free_fields referencing bpf_crypto_ctx_release as the call target.
- Internal error: Oops - CFI panic messages followed by BPF-related stack frames in dmesg or journalctl -k.
- Unexpected host reboots or kernel panics correlated with workloads loading BPF crypto programs.
Detection Strategies
- Inspect kernel ring buffers for CFI violation signatures using dmesg | grep -i "CFI failure" across the fleet.
- Audit BPF program loads with bpftool prog show and correlate against unprivileged users or unexpected workloads.
- Compare running kernel versions (uname -r) against the patched commit hashes published on kernel.org.
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on CFI failure strings.
- Enable BPF audit logging where supported to record program load events and the loading UID.
- Track host reboot frequency and kernel oops counters as health signals for fleet-wide regressions.
How to Mitigate CVE-2026-43306
Immediate Actions Required
- Apply the upstream stable kernel updates that register the corrected destructor stub for the BPF crypto kfunc.
- Inventory hosts running CFI-enabled kernels and prioritize patching on systems exposing BPF to non-root users.
- Restrict BPF program loading to trusted administrators by setting kernel.unprivileged_bpf_disabled=1.
Patch Information
The issue is resolved by the following upstream commits on kernel.org: Linux Kernel Commit 3979a550, Linux Kernel Commit 4e3e57db, Linux Kernel Commit 50d6fd69, and Linux Kernel Commit b40a5d72. Rebuild and redeploy kernels from the corresponding stable branches.
Workarounds
- Disable unprivileged BPF program loading by setting sysctl kernel.unprivileged_bpf_disabled=1 until patches are deployed.
- Build kernels without CONFIG_CFI_CLANG to avoid the panic path, accepting the loss of CFI protection as a tradeoff.
- Remove or restrict use of the BPF crypto kfunc set in workloads that do not require it.
# Configuration example
# Disable unprivileged BPF program loading until patched kernels are deployed
sudo sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled=1' | sudo tee /etc/sysctl.d/90-bpf-hardening.conf
# Verify the running kernel version against patched stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
