CVE-2026-23417
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix constant blinding for PROBE_MEM32 stores
BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.
The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification, before bpf_jit_blind_constants() runs during JIT compilation. The blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through unblinded.
Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the existing BPF_ST|BPF_MEM cases. The blinding transformation is identical: load the blinded immediate into BPF_REG_AX via mov+xor, then convert the immediate store to a register store (BPF_STX).
The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes BPF_MEM mode; construct the instruction directly instead.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 6082b6c328b5486da2b356eae94b8b83c98b5565 < 56af722756ed82fee2ae5d5b4d04743407506195 | affected |
| Linux | Linux | 6082b6c328b5486da2b356eae94b8b83c98b5565 < ccbf29b28b5554f9d65b2fb53b994673ad58b3bf | affected |
| Linux | Linux | 6082b6c328b5486da2b356eae94b8b83c98b5565 < de641ea08f8fff6906e169d2576c2ac54e562fbb | affected |
| Linux | Linux | 6082b6c328b5486da2b356eae94b8b83c98b5565 < 2321a9596d2260310267622e0ad8fbfa6f95378f | affected |
| Linux | Linux | 6.9 | affected |
| Linux | Linux | 0 < 6.9 | unaffected |
| Linux | Linux | 6.12.80 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.21 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.11 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195
- https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf
- https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb
- https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.