CVE-2026-45927
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Require frozen map for calculating map hash
Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map's frozen state.
This leads to a TOCTOU bug where userspace can call BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map contents before freezing.
Therefore, a trusted loader can be tricked into verifying the stale hash while loading the modified contents.
Fix this by returning -EPERM if the map is not frozen when the hash is requested. This ensures the hash is only generated for the final, immutable state of the map.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ea2e6467ac36bf3d785defc89e58269b15d182f7 < 7752d36343862323bbeea4ce3adf0ec2ed86e122 | affected |
| Linux | Linux | ea2e6467ac36bf3d785defc89e58269b15d182f7 < f415e114b58fe02c41191e47f24bdabb438daf72 | affected |
| Linux | Linux | ea2e6467ac36bf3d785defc89e58269b15d182f7 < a2c86aa621c22f2a7e26c654f936d65cfff0aa91 | affected |
| Linux | Linux | 6.18 | affected |
| Linux | Linux | 0 < 6.18 | unaffected |
| Linux | Linux | 6.18.14 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.4 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/7752d36343862323bbeea4ce3adf0ec2ed86e122
- https://git.kernel.org/stable/c/f415e114b58fe02c41191e47f24bdabb438daf72
- https://git.kernel.org/stable/c/a2c86aa621c22f2a7e26c654f936d65cfff0aa91
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.