Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Return proper address for non-zero offsets in insn array

The map_direct_value_addr() function of the instruction
array map incorrectly adds offset to the resulting address.
This is a bug, because later the resolve_pseudo_ldimm64()
function adds the offset. Fix it. Corresponding selftests
are added in a consequent commit.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel BPF map function map_direct_value_addr incorrectly applies an offset to a computed address. A later call to resolve_pseudo_ldimm64 adds the same offset again, resulting in an address that is twice the intended value. This miscalculation can direct a BPF program to unintended memory locations, potentially enabling memory corruption or leakage. The CVE description does not identify a proven exploitation path, but the nature of the bug suggests that malicious BPF code could manipulate memory boundaries.

Affected Systems

All Linux kernel releases that contain the buggy map_direct_value_addr implementation of BPF map handling are potentially impacted. The specific affected versions are not enumerated by the CNA; any kernel build that includes the referenced code before the associated bug‑fix commit would be susceptible.

Risk and Exploitability

No CVSS score is available, the EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. Because the issue is tied to kernel internal address resolution, an attacker would need to craft a malicious BPF program to trigger the fault. In the absence of publicly documented exploitation, the risk remains indeterminate, but the potential for memory integrity compromise warrants preemptive mitigation.

Generated by OpenCVE AI on May 27, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that incorporates the fix for the map_direct_value_addr double‑offset bug
  • If upgrading is not feasible, apply the commit that corrects the offset calculation to the kernel source and rebuild
  • If BPF or XDP functionality is not required, disable those features to reduce the attack surface

Generated by OpenCVE AI on May 27, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-787

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Return proper address for non-zero offsets in insn array The map_direct_value_addr() function of the instruction array map incorrectly adds offset to the resulting address. This is a bug, because later the resolve_pseudo_ldimm64() function adds the offset. Fix it. Corresponding selftests are added in a consequent commit.
Title bpf: Return proper address for non-zero offsets in insn array
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:18:25.572Z

Reserved: 2026-05-13T15:03:33.089Z

Link: CVE-2026-45967

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:13.567

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:00:16Z

Weaknesses