Description
In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing

struct bpf_plt contains a u64 target field. Currently, the BPF JIT
allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT
buffer.

Because the base address of the JIT buffer can be 4-byte aligned (e.g.,
ending in 0x4 or 0xc), the relative padding logic in build_plt() fails
to ensure that target lands on an 8-byte boundary.

This leads to two issues:
1. UBSAN reports misaligned-access warnings when dereferencing the
structure.
2. More critically, target is updated concurrently via WRITE_ONCE() in
bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64,
64-bit loads/stores are only guaranteed to be single-copy atomic if
they are 64-bit aligned. A misaligned target risks a torn read,
causing the JIT to jump to a corrupted address.

Fix this by increasing the allocation alignment requirement to 8 bytes
(sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of
the JIT buffer to an 8-byte boundary, allowing the relative padding math
in build_plt() to correctly align the target field.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An alignment oversight in the Linux kernel’s BPF JIT allocator for the arm64 architecture causes a 64‑bit pointer field in the bpf_plt structure to sometimes be misaligned. When the JIT compiler generates code that accesses this field concurrently with a write, the ARM64 load/store operation may observe only part of the 64‑bit value, resulting in a torn read. The malformed address can then be used as a jump target by the JITed code, allowing execution of unintended instructions. This flaw enables an attacker who can load a malicious BPF program to potentially execute arbitrary kernel code, leading to local privilege escalation or root compromise.

Affected Systems

The vulnerability affects the Linux kernel across all releases that contain the buggy JIT allocation code for arm64. Vendors and users running these kernel versions are impacted. Specific version ranges are not listed in the CVE data, so any kernel prior to the patching commit should be considered vulnerable.

Risk and Exploitability

With a CVSS score of 7.8, the flaw is classified as high severity. The EPSS estimate is below 1 %, and it is not currently listed in CISA’s KEV catalog, indicating a low likelihood of widespread exploitation at this time. Nevertheless, the attack vector requires the ability to load or influence BPF code in kernel space, which an attacker may obtain via local compromise or privilege escalation channels. If the ability to execute BPF programs is available, the misaligned JIT buffer becomes a viable vector for kernel arbitrary code execution. Patching the kernel removes the misalignment; failing that, disabling BPF JIT on affected systems mitigates the risk.

Generated by OpenCVE AI on April 2, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the bpf JIT alignment patch.
  • If the update is not immediately possible, disable BPF JIT by setting the appropriate sysctl or compiling the kernel with CONFIG_BPF_JIT_DISABLED.
  • Monitor system logs for UBSAN misaligned-access warnings or unexpected kernel crashes that may indicate exploitation.
  • Verify that the kernel version is newer than the commit that introduced the fix by checking the kernel release notes or commit hash.

Generated by OpenCVE AI on April 2, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.0:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-468
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary. This leads to two issues: 1. UBSAN reports misaligned-access warnings when dereferencing the structure. 2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address. Fix this by increasing the allocation alignment requirement to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of the JIT buffer to an 8-byte boundary, allowing the relative padding math in build_plt() to correctly align the target field.
Title bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:06:20.054Z

Reserved: 2026-01-13T15:37:46.007Z

Link: CVE-2026-23383

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:38.487

Modified: 2026-04-24T18:42:21.773

Link: CVE-2026-23383

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23383 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:00Z

Weaknesses