Description
In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing

struct bpf_plt contains a u64 target field. Currently, the BPF JIT
allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT
buffer.

Because the base address of the JIT buffer can be 4-byte aligned (e.g.,
ending in 0x4 or 0xc), the relative padding logic in build_plt() fails
to ensure that target lands on an 8-byte boundary.

This leads to two issues:
1. UBSAN reports misaligned-access warnings when dereferencing the
structure.
2. More critically, target is updated concurrently via WRITE_ONCE() in
bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64,
64-bit loads/stores are only guaranteed to be single-copy atomic if
they are 64-bit aligned. A misaligned target risks a torn read,
causing the JIT to jump to a corrupted address.

Fix this by increasing the allocation alignment requirement to 8 bytes
(sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of
the JIT buffer to an 8-byte boundary, allowing the relative padding math
in build_plt() to correctly align the target field.
Published: 2026-03-25
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption that may allow execution of unintended code
Action: Patch immediately
AI Analysis

Impact

The Linux kernel’s BPF Just‑In‑Time compiler for ARM64 allocates its executable buffer with only 4‑byte alignment, while the PLT target structure contains a 64‑bit field that requires 8‑byte alignment. When the JIT buffer is not properly aligned, a concurrent update of the target field and a 64‑bit load performed by the JITed code can result in a torn read. This misaligned access may cause the kernel to jump to a corrupted address. The flaw therefore poses a risk for kernel memory corruption and potential execution of unintended code. The description states that the issue leads to a corrupted jump target, which could be interpreted as a form of arbitrary kernel code execution; this conclusion is inferred from the text.

Affected Systems

Any Linux kernel running on an ARM64 platform that incorporates the unpatched BPF JIT logic is affected. This includes all kernel versions that contain the original 4‑byte alignment for the JIT buffer and lack the recent change to enforce 8‑byte alignment. The scope covers all distributions shipping such kernels; no specific vendor or version is listed. The affected vendors are those providing the Linux kernel compiled for ARM64.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.0, indicating high severity. EPSS analysis shows less than a 1 % chance of exploitation in the wild, and it is not recorded in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires loading a BPF program, which is typically limited to privileged users or services; thus the attack vector is likely local. Based on the description, a local attacker with the ability to load BPF code could trigger the misaligned read and potentially gain kernel‑level execution. The impact is therefore significant but the current likelihood of exploitation remains low.

Generated by OpenCVE AI on March 26, 2026 at 04:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that fixes the BPF JIT alignment issue for ARM64.
  • Reboot the machine to activate the patched kernel if a hot‑patch cannot be applied.
  • If the patch is not yet available or cannot be applied immediately, disable the BPF JIT feature or restrict BPF program loading to authorized users.

Generated by OpenCVE AI on March 26, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-468
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary. This leads to two issues: 1. UBSAN reports misaligned-access warnings when dereferencing the structure. 2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address. Fix this by increasing the allocation alignment requirement to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of the JIT buffer to an 8-byte boundary, allowing the relative padding math in build_plt() to correctly align the target field.
Title bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-03-25T10:28:02.126Z

Reserved: 2026-01-13T15:37:46.007Z

Link: CVE-2026-23383

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:38.487

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23383

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23383 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:15:35Z

Weaknesses