CVE-2026-45903 - Vulnerability Details

- bpf: Fix memory access flags in helper prototypes

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix memory access flags in helper prototypes

After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking"),
the verifier started relying on the access type flags in helper
function prototypes to perform memory access optimizations.

Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the
corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the
verifier to incorrectly assume that the buffer contents are unchanged
across the helper call. Consequently, the verifier may optimize away
subsequent reads based on this wrong assumption, leading to correctness
issues.

For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect
since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM
which correctly indicates write access to potentially uninitialized memory.

Similar issues were recently addressed for specific helpers in commit
ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer")
and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name args").

Fix these prototypes by adding the correct memory access flags.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The kernel’s BPF verifier relies on helper function prototypes to determine memory access patterns. Several helper functions lack the appropriate MEM_RDONLY or MEM_WRITE flags, causing the verifier to assume that buffers remain unchanged across helper calls. This false assumption can lead the verifier to incorrectly optimize away subsequent reads, resulting in correctness problems. The weakness is a failure to properly specify memory access semantics, which could allow malicious BPF programs to observe or corrupt data they should not see, thereby impacting confidentiality or integrity of kernel memory.

Affected Systems

All Linux kernel releases that have not incorporated the patch commits that add the correct memory access flags in helper prototypes. The fix appears in the kernel source after commit 37cce22dbd51 and related commits such as ac44dcc788b9 and 2eb7648558a7. Until the kernel is updated, systems running older kernels are affected.

Risk and Exploitability

The CVSS score is not disclosed, nor is there an EPSS value; the vulnerability is not listed in CISA’s KEV catalog. This indicates limited exploitation evidence. However, because the flaw originates in the core BPF verifier, it has the potential to affect any user mode BPF program that interacts with the kernel. Environments that expose untrusted BPF code or rely heavily on dynamically generated BPF programs should prioritize mitigation, while general usage scenarios may exhibit a lower immediate risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb`	affected	< fdfe75161f6e8c41a7d3023fbb815b537107b806
`37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb`	affected	< aa319592892068bd960c1a1c07bd621085b0c63d
`37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb`	affected	< 802eef5afb1865bc5536a5302c068ba2215a1f72

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb,fdfe75161f6e8c41a7d3023fbb815b537107b806)`	affected	code_commit	—
`[37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb,aa319592892068bd960c1a1c07bd621085b0c63d)`	affected	code_commit	—
`[37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb,802eef5afb1865bc5536a5302c068ba2215a1f72)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	generic	—
`[0,6.14)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that implements the patch commits (37cce22dbd51 and related fixes) which correct the memory access flags in helper prototypes.
If a kernel upgrade is not immediately possible, disable or restrict BPF programs that invoke the affected helper functions until the kernel is patched.
Review custom BPF programs to ensure they do not rely on the assumption that buffers remain unchanged across helper calls; adjust code to use the correct memory access semantics.

Generated by OpenCVE AI on May 27, 2026 at 19:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/802eef5afb1865bc5536a5302c068ba2215a1f72
https://git.kernel.org/stable/c/aa319592892068bd960c1a1c07bd621085b0c63d
https://git.kernel.org/stable/c/fdfe75161f6e8c41a7d3023fbb815b537107b806

History

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-666 CWE-758

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix memory access flags in helper prototypes After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking"), the verifier started relying on the access type flags in helper function prototypes to perform memory access optimizations. Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues. For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM which correctly indicates write access to potentially uninitialized memory. Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer") and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name args"). Fix these prototypes by adding the correct memory access flags.
Title		bpf: Fix memory access flags in helper prototypes
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/802eef5afb1865bc5536a5302c068ba2215a1f72 https://git.kernel.org/stable/c/aa319592892068bd960c1a1c07bd621085b0c63d https://git.kernel.org/stable/c/fdfe75161f6e8c41a7d3023fbb815b537107b806

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:11.382Z

Updated: 2026-05-27T12:17:11.382Z

Reserved: 2026-05-13T15:03:33.084Z

Link: CVE-2026-45903

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:04.710

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45903

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object