CVE-2026-53314 Affecting bpftool-debuginfo package, versions <1:6.1.175-219.357.amzn2023


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.11% (2nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2023-BPFTOOLDEBUGINFO-17946292
  • published11 Jul 2026
  • disclosed26 Jun 2026

Introduced: 26 Jun 2026

NewCVE-2026-53314  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 bpftool-debuginfo to version 1:6.1.175-219.357.amzn2023 or higher.
This issue was patched in ALAS2023-2026-1882.

NVD Description

Note: Versions mentioned in the description apply only to the upstream bpftool-debuginfo package and not the bpftool-debuginfo package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

padata: Put CPU offline callback in ONLINE section to allow failure

syzbot reported the following warning:

DEAD callback error for CPU1
WARNING: kernel/cpu.c:1463 at _cpu_down+0x759/0x1020 kernel/cpu.c:1463, CPU#0: syz.0.1960/14614

at commit 4ae12d8bd9a8 ("Merge tag 'kbuild-fixes-7.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux") which tglx traced to padata_cpu_dead() given it's the only sub-CPUHP_TEARDOWN_CPU callback that returns an error.

Failure isn't allowed in hotplug states before CPUHP_TEARDOWN_CPU so move the CPU offline callback to the ONLINE section where failure is possible.

CVSS Base Scores

version 3.1