CVE-2026-23417 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix constant blinding for PROBE_MEM32 stores

BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by
bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to
survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.

The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM
to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,
before bpf_jit_blind_constants() runs during JIT compilation. The
blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not
BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through
unblinded.

Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the
existing BPF_ST|BPF_MEM cases. The blinding transformation is identical:
load the blinded immediate into BPF_REG_AX via mov+xor, then convert
the immediate store to a register store (BPF_STX).

The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so
the architecture JIT emits the correct arena addressing (R12-based on
x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes
BPF_MEM mode; construct the instruction directly instead.

Published: 2026-04-02

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s eBPF JIT compiler contains a flaw where 32‑bit immediates written via the BPF_PROBE_MEM32 mode bypass the blinding mechanism when bpf_jit_harden is enabled. This allows a hostile eBPF program to inject a constant that is written directly into kernel memory without modification, creating an unblinded kernel write and potentially corrupting kernel data structures. As a result, an attacker can achieve arbitrary kernel memory writes that may lead to privilege escalation or other disruptive effects.

Affected Systems

Any Linux kernel that was built before the commit adding comprehensive blinding for PROBE_MEM32 stores is affected. The vulnerability is present in kernel versions that enable bpf_jit_harden (typically ≥1) and provide JIT compilation, such as x86‑64 and other architectures that utilize the eBPF JIT. The advisory does not list specific version ranges, so all kernels older than the patched release should be reviewed.

Risk and Exploitability

The EPSS score for this issue is less than 1%, suggesting a relatively low chance of widespread exploitation. The vulnerability is not included in the CISA KEV catalog, and no public exploits have been documented. Because the flaw requires the ability to load or influence eBPF programs, the attack surface is naturally limited to privileged users or applications with CAP_SYS_ADMIN. However, for systems that run user‑managed eBPF code, the risk of kernel memory corruption remains significant and should be treated seriously.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6082b6c328b5486da2b356eae94b8b83c98b5565`	affected	< 56af722756ed82fee2ae5d5b4d04743407506195
`6082b6c328b5486da2b356eae94b8b83c98b5565`	affected	< ccbf29b28b5554f9d65b2fb53b994673ad58b3bf
`6082b6c328b5486da2b356eae94b8b83c98b5565`	affected	< de641ea08f8fff6906e169d2576c2ac54e562fbb
`6082b6c328b5486da2b356eae94b8b83c98b5565`	affected	< 2321a9596d2260310267622e0ad8fbfa6f95378f

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6082b6c328b5486da2b356eae94b8b83c98b5565,56af722756ed82fee2ae5d5b4d04743407506195)`	affected	code_commit	—
`[6082b6c328b5486da2b356eae94b8b83c98b5565,ccbf29b28b5554f9d65b2fb53b994673ad58b3bf)`	affected	code_commit	—
`[6082b6c328b5486da2b356eae94b8b83c98b5565,de641ea08f8fff6906e169d2576c2ac54e562fbb)`	affected	code_commit	—
`[6082b6c328b5486da2b356eae94b8b83c98b5565,2321a9596d2260310267622e0ad8fbfa6f95378f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	generic	—
`[0,6.9)`	unaffected	semver	—
`[6.12.80,6.13.0)`	unaffected	semver	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the blinding fix for BPF_PROBE_MEM32 stores.
Apply the upstream patch that introduces the missing blinding logic to the JIT compiler.
If an upgrade is not immediately possible, disable eBPF JIT compilation or set bpf_jit_harden to 0 to prevent the flaw from being triggered.

Generated by OpenCVE AI on April 2, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f
https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195
https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf
https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-787

Thu, 02 Apr 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix constant blinding for PROBE_MEM32 stores BPF_ST \| BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1. The root cause is that convert_ctx_accesses() rewrites BPF_ST\|BPF_MEM to BPF_ST\|BPF_PROBE_MEM32 for arena pointer stores during verification, before bpf_jit_blind_constants() runs during JIT compilation. The blinding switch only matches BPF_ST\|BPF_MEM (mode 0x60), not BPF_ST\|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through unblinded. Add BPF_ST\|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the existing BPF_ST\|BPF_MEM cases. The blinding transformation is identical: load the blinded immediate into BPF_REG_AX via mov+xor, then convert the immediate store to a register store (BPF_STX). The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes BPF_MEM mode; construct the instruction directly instead.
Title		bpf: Fix constant blinding for PROBE_MEM32 stores
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195 https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-02T11:40:57.837Z

Updated: 2026-04-02T11:40:57.837Z

Reserved: 2026-01-13T15:37:46.014Z

Link: CVE-2026-23417

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-02T12:16:21.097

Modified: 2026-04-02T12:16:21.097

Link: CVE-2026-23417

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:21:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object