Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix memory access flags in helper prototypes

After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking"),
the verifier started relying on the access type flags in helper
function prototypes to perform memory access optimizations.

Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the
corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the
verifier to incorrectly assume that the buffer contents are unchanged
across the helper call. Consequently, the verifier may optimize away
subsequent reads based on this wrong assumption, leading to correctness
issues.

For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect
since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM
which correctly indicates write access to potentially uninitialized memory.

Similar issues were recently addressed for specific helpers in commit
ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer")
and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name args").

Fix these prototypes by adding the correct memory access flags.
Published: 2026-05-27
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s BPF verifier relies on helper function prototypes to determine when kernel memory is read or written. Several helper prototypes were missing the appropriate MEM_RDONLY or MEM_WRITE flags, so the verifier incorrectly assumed that buffers remained unchanged after the helper call. This misinterpretation causes the verifier to optimize away subsequent reads, potentially leading to correctness or data integrity issues within kernel memory. The flaw is a failure to correctly specify memory access semantics (CWE‑733).

Affected Systems

All Linux kernel releases that do not yet contain the patch commits that add the correct memory access flags in helper prototypes (commit 37cce22dbd51 and related commits ac44dcc788b9, 2eb7648558a7). Until the kernel is updated, systems running older kernel versions are affected.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity vulnerability. The EPSS score of less than 1% and the fact that it is not listed in CISA’s KEV catalog suggest that exploitation is unlikely at present. Because this bug resides in the core BPF verifier, it could theoretically impact any BPF program loaded into the kernel, but the description does not provide evidence of how an attacker would manipulate BPF code to exploit the flaw.

Generated by OpenCVE AI on May 28, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch commits (37cce22dbd51 and related fixes) which correct the memory access flags in helper prototypes.
  • If a kernel upgrade cannot be performed immediately, restrict or disable BPF programs that invoke the affected helper functions until the kernel is patched.
  • Review custom BPF programs to verify they do not rely on the assumption that buffers remain unchanged across helper calls; adjust the programs to use the correct memory access semantics.

Generated by OpenCVE AI on May 28, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-666
CWE-758

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-733
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-666
CWE-758

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix memory access flags in helper prototypes After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking"), the verifier started relying on the access type flags in helper function prototypes to perform memory access optimizations. Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues. For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM which correctly indicates write access to potentially uninitialized memory. Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer") and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name args"). Fix these prototypes by adding the correct memory access flags.
Title bpf: Fix memory access flags in helper prototypes
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:11.382Z

Reserved: 2026-05-13T15:03:33.084Z

Link: CVE-2026-45903

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:04.710

Modified: 2026-06-17T10:52:42.100

Link: CVE-2026-45903

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45903 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:15:21Z

Weaknesses
  • CWE-733

    Compiler Optimization Removal or Modification of Security-critical Code