CVE-2026-45927 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Require frozen map for calculating map hash

Currently, bpf_map_get_info_by_fd calculates and caches the hash of the
map regardless of the map's frozen state.

This leads to a TOCTOU bug where userspace can call
BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map
contents before freezing.

Therefore, a trusted loader can be tricked into verifying the stale hash
while loading the modified contents.

Fix this by returning -EPERM if the map is not frozen when the hash is
requested. This ensures the hash is only generated for the final,
immutable state of the map.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the vulnerability involves a time‑of‑check to time‑of‑use error in bpf_map_get_info_by_fd: the kernel calculates and caches a map hash even when the map is not yet frozen. A trusted BPF loader can cache this stale hash with BPF_OBJ_GET_INFO_BY_FD, modify the map contents before freezing, and then load the modified code while the loader still believes the hash is unchanged. This flaw allows an attacker with sufficient privileges to supply malicious BPF data that bypasses integrity checks, potentially allowing integrity manipulation of loader operations. The core weakness is a race, where a check of the map’s state is followed by a use that assumes the same state, without re‑verification.

Affected Systems

Linux kernel (all releases prior to the patch that introduces the EPERM return for non‑frozen map hash requests).

Risk and Exploitability

The CVSS severity is not specified, and EPSS data is not available, so exploitation probability cannot be precisely quantified. The flaw is not listed in the CISA KEV catalog. Attackers need the ability to create or modify BPF maps and invoke the trusted loader, typically requiring elevated or privileged local access. Given that the bug permits integrity exploitation of kernel loader code, the risk is considered high if the vulnerable kernel is in use.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ea2e6467ac36bf3d785defc89e58269b15d182f7`	affected	< 7752d36343862323bbeea4ce3adf0ec2ed86e122
`ea2e6467ac36bf3d785defc89e58269b15d182f7`	affected	< f415e114b58fe02c41191e47f24bdabb438daf72
`ea2e6467ac36bf3d785defc89e58269b15d182f7`	affected	< a2c86aa621c22f2a7e26c654f936d65cfff0aa91

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch for CVE-2026-45927.
Verify that any BPF maps used by trusted loaders are frozen before hash calculation by calling the appropriate freeze API.
Audit BPF map usage to ensure no unsigned or untrusted BPF programs are loaded when map hashes may be cached.
If BPF functionality is not required in a given environment, consider disabling BPF syscalls for unprivileged users.

Generated by OpenCVE AI on May 27, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/7752d36343862323bbeea4ce3adf0ec2ed86e122
https://git.kernel.org/stable/c/a2c86aa621c22f2a7e26c654f936d65cfff0aa91
https://git.kernel.org/stable/c/f415e114b58fe02c41191e47f24bdabb438daf72

History

Wed, 27 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-824

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Require frozen map for calculating map hash Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map's frozen state. This leads to a TOCTOU bug where userspace can call BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map contents before freezing. Therefore, a trusted loader can be tricked into verifying the stale hash while loading the modified contents. Fix this by returning -EPERM if the map is not frozen when the hash is requested. This ensures the hash is only generated for the final, immutable state of the map.
Title		bpf: Require frozen map for calculating map hash
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/7752d36343862323bbeea4ce3adf0ec2ed86e122 https://git.kernel.org/stable/c/a2c86aa621c22f2a7e26c654f936d65cfff0aa91 https://git.kernel.org/stable/c/f415e114b58fe02c41191e47f24bdabb438daf72

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:46.284Z

Updated: 2026-05-27T12:17:46.284Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45927

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:08.583

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45927

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T16:30:36Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object