GHSA-MFC2-6J6Q-99VP
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
bpf, arm64: Fix off-by-one in check_imm signed range check
check_imm(bits, imm) is used in the arm64 BPF JIT to verify that a branch displacement (in arm64 instruction units) fits into the signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding before it is handed to the encoder. The macro currently tests for (imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits values in [-2^N, 2^N) — effectively a signed (N+1)-bit range. A signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check admits one extra bit of range on each side.
In particular, for check_imm19(), values in [2^18, 2^19) slip past the check but do not fit into the 19-bit signed imm19 field of B.cond. aarch64_insn_encode_immediate() then masks the raw value into the 19-bit field, setting bit 18 (the sign bit) and flipping a forward branch into a backward one. Same class of issue exists for check_imm26() and the B/BL encoding. Shift by (bits - 1) instead of bits so the actual signed N-bit range is enforced.
{
"affected": [],
"aliases": [
"CVE-2026-53036"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:15Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix off-by-one in check_imm signed range check\n\ncheck_imm(bits, imm) is used in the arm64 BPF JIT to verify that\na branch displacement (in arm64 instruction units) fits into the\nsigned N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding\nbefore it is handed to the encoder. The macro currently tests for\n(imm \u003e 0 \u0026\u0026 imm \u003e\u003e bits) || (imm \u003c 0 \u0026\u0026 ~imm \u003e\u003e bits) which admits\nvalues in [-2^N, 2^N) \u2014 effectively a signed (N+1)-bit range. A\nsigned N-bit field only holds [-2^(N-1), 2^(N-1)), so the check\nadmits one extra bit of range on each side.\n\nIn particular, for check_imm19(), values in [2^18, 2^19) slip past\nthe check but do not fit into the 19-bit signed imm19 field of\nB.cond. aarch64_insn_encode_immediate() then masks the raw value\ninto the 19-bit field, setting bit 18 (the sign bit) and flipping\na forward branch into a backward one. Same class of issue exists\nfor check_imm26() and the B/BL encoding. Shift by (bits - 1)\ninstead of bits so the actual signed N-bit range is enforced.",
"id": "GHSA-mfc2-6j6q-99vp",
"modified": "2026-06-28T09:31:39Z",
"published": "2026-06-24T18:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53036"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a113b5497297871699cd498b1b83542e0db7f15"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1dd8be4ec722ce54e4cace59f3a4ba658111b3ec"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6927f0d6794aa73318bbfa929f1ff6065b0620df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7fd3b41260c6120e7b60164afea5d961af6224f9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a5dfeb3b61065039488342d43ae06d4729d955d4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb74defa1cca1a73177c0c761e641332e4f979a3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.