CVE-2026-45932 Overview
CVE-2026-45932 is a Linux kernel vulnerability in the Berkeley Packet Filter (BPF) subsystem. The flaw allows any unprivileged user to invoke BPF_PROG_DETACH on tcx or netkit devices when no program file descriptor is provided. The kernel skips permission validation in this path, bypassing the standard capability checks.
The patch adds an explicit check requiring CAP_NET_ADMIN or CAP_SYS_ADMIN before allowing the detach operation. Without the fix, local users can detach BPF programs attached to network traffic control or netkit interfaces, disrupting filtering, classification, or container networking policies.
Critical Impact
Local unprivileged users can detach BPF programs from tcx and netkit devices, disabling network-layer security and traffic policies enforced by the kernel.
Affected Products
- Linux kernel versions containing the tcx and netkit BPF attach types prior to the fix commits
- Distributions shipping kernels built from affected upstream sources
- Container and virtualization platforms relying on netkit for tenant network isolation
Discovery Timeline
- 2026-05-27 - CVE-2026-45932 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45932
Vulnerability Analysis
The vulnerability resides in the BPF syscall dispatch logic that handles BPF_PROG_DETACH requests targeting tcx (traffic control express) and netkit attach points. When userspace issues a detach request with a valid program file descriptor, the kernel resolves the program and applies the necessary permission checks tied to that program object.
When no program file descriptor is supplied, the kernel takes an alternate path that removes the attached program by index or anchor reference. This path failed to invoke capability validation, allowing any process to remove BPF programs governing packet processing on the affected interfaces.
Detaching a tcx or netkit program can disable ingress and egress filtering, container traffic isolation, observability hooks, or security policies enforced through BPF. The result is a local privilege boundary violation that affects network-layer integrity rather than memory safety.
Root Cause
The root cause is a missing authorization check [CWE-862] in the no-fd branch of the tcx and netkit detach handler. Properly guarded paths required CAP_NET_ADMIN or CAP_SYS_ADMIN, but this branch reached the link removal logic without consulting bpf_net_capable() or an equivalent check.
Attack Vector
An attacker with local shell access on a vulnerable host can call the bpf() syscall with BPF_PROG_DETACH, specifying the target interface and attach type while omitting the program file descriptor. The kernel processes the request and removes the attached program without verifying privileges. No memory corruption or kernel code execution is required.
The vulnerability is described in prose because no verified proof-of-concept code is published. Technical detail is available in the upstream fix commits referenced below: kernel commit 3f04cc1e, kernel commit 4e0772cd, and kernel commit ae23bc81.
Detection Methods for CVE-2026-45932
Indicators of Compromise
- Unexpected disappearance of tcx or netkit BPF programs from interfaces, verifiable with bpftool net show and bpftool link show.
- Audit log entries showing bpf() syscalls from non-root UIDs that lack CAP_NET_ADMIN or CAP_SYS_ADMIN.
- Loss of expected traffic control behavior on container or virtual network interfaces without administrator action.
Detection Strategies
- Enable kernel auditd rules for the bpf syscall and alert on BPF_PROG_DETACH invocations from unprivileged users.
- Periodically snapshot the output of bpftool link list and diff against a known-good baseline to detect unauthorized detachments.
- Correlate process execution telemetry with bpf() syscall activity to identify processes that should not interact with the BPF subsystem.
Monitoring Recommendations
- Forward kernel audit events and process telemetry to a central SIEM for correlation across hosts.
- Track changes to BPF link inventory on hosts running container runtimes that rely on netkit.
- Alert when an interface that previously had a tcx ingress or egress program transitions to having none.
How to Mitigate CVE-2026-45932
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in this advisory and reboot affected hosts.
- Inventory hosts using tcx or netkit BPF programs and prioritize their patching.
- Restrict local shell access on multi-tenant systems until patched kernels are deployed.
Patch Information
The fix is applied in upstream Linux via three stable commits that add a CAP_NET_ADMIN or CAP_SYS_ADMIN capability check to the tcx and netkit detach path when no program file descriptor is supplied. Refer to commit 3f04cc1e, commit 4e0772cd, and commit ae23bc81. Track downstream distribution advisories for backported kernel packages.
Workarounds
- Limit local user access on hosts running BPF-based network policies until patches are applied.
- Use seccomp or LSM policies to restrict the bpf() syscall to authorized service accounts.
- Avoid relying solely on tcx or netkit BPF programs for security boundaries on unpatched kernels.
# Example: restrict bpf() syscall via seccomp for untrusted services
# In a systemd unit file:
[Service]
SystemCallFilter=~@bpf
CapabilityBoundingSet=
AmbientCapabilities=
# Verify current tcx/netkit attachments after patching
bpftool net show
bpftool link show
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
