Linux Kernel up to 6.12.90/6.18.32/7.0.9 bpf arena_alloc_pages allocation of resources

Summaryinfo

A vulnerability was found in Linux Kernel up to 6.12.90/6.18.32/7.0.9 and classified as critical. This impacts the function arena_alloc_pages of the component bpf. Executing a manipulation can lead to allocation of resources. This vulnerability is handled as CVE-2026-53031. There is not any exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Linux Kernel up to 6.12.90/6.18.32/7.0.9. It has been declared as critical. This vulnerability affects the function arena_alloc_pages of the component bpf. The manipulation with an unknown input leads to a allocation of resources vulnerability. The CWE definition for the vulnerability is CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. The impact remains unknown. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: bpf: Validate node_id in arena_alloc_pages() arena_alloc_pages() accepts a plain int node_id and forwards it through the entire allocation chain without any bounds checking. Validate node_id before passing it down the allocation chain in arena_alloc_pages().

The advisory is available at git.kernel.org. This vulnerability was named CVE-2026-53031 since 06/09/2026. Technical details are known, but there is no available exploit.

Upgrading to version 6.12.91, 6.18.33 or 7.0.10 eliminates this vulnerability. Applying the patch 31d3b4b28e55835646d6829d60023f730dd34e85/e15900888c09480a4c632bc598f1c5bd39bed6d6/fb66e20130f95a93ffea1677252526a9e39170b2/2845989f2ebaf7848e4eccf9a779daf3156ea0a5 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.12.0
• 6.12.1
• 6.12.2
• 6.12.3
• 6.12.4
• 6.12.5
• 6.12.6
• 6.12.7
• 6.12.8
• 6.12.9
• 6.12.10
• 6.12.11
• 6.12.12
• 6.12.13
• 6.12.14
• 6.12.15
• 6.12.16
• 6.12.17
• 6.12.18
• 6.12.19
• 6.12.20
• 6.12.21
• 6.12.22
• 6.12.23
• 6.12.24
• 6.12.25
• 6.12.26
• 6.12.27
• 6.12.28
• 6.12.29
• 6.12.30
• 6.12.31
• 6.12.32
• 6.12.33
• 6.12.34
• 6.12.35
• 6.12.36
• 6.12.37
• 6.12.38
• 6.12.39
• 6.12.40
• 6.12.41
• 6.12.42
• 6.12.43
• 6.12.44
• 6.12.45
• 6.12.46
• 6.12.47
• 6.12.48
• 6.12.49
• 6.12.50
• 6.12.51
• 6.12.52
• 6.12.53
• 6.12.54
• 6.12.55
• 6.12.56
• 6.12.57
• 6.12.58
• 6.12.59
• 6.12.60
• 6.12.61
• 6.12.62
• 6.12.63
• 6.12.64
• 6.12.65
• 6.12.66
• 6.12.67
• 6.12.68
• 6.12.69
• 6.12.70
• 6.12.71
• 6.12.72
• 6.12.73
• 6.12.74
• 6.12.75
• 6.12.76
• 6.12.77
• 6.12.78
• 6.12.79
• 6.12.80
• 6.12.81
• 6.12.82
• 6.12.83
• 6.12.84
• 6.12.85
• 6.12.86
• 6.12.87
• 6.12.88
• 6.12.89
• 6.12.90
• 6.18.0
• 6.18.1
• 6.18.2
• 6.18.3
• 6.18.4
• 6.18.5
• 6.18.6
• 6.18.7
• 6.18.8
• 6.18.9
• 6.18.10
• 6.18.11
• 6.18.12
• 6.18.13
• 6.18.14
• 6.18.15
• 6.18.16
• 6.18.17
• 6.18.18
• 6.18.19
• 6.18.20
• 6.18.21
• 6.18.22
• 6.18.23
• 6.18.24
• 6.18.25
• 6.18.26
• 6.18.27
• 6.18.28
• 6.18.29
• 6.18.30
• 6.18.31
• 6.18.32
• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.0.7
• 7.0.8
• 7.0.9

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion