{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23417", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.014Z", "datePublished": "2026-04-02T11:40:57.837Z", "dateUpdated": "2026-04-02T11:40:57.837Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-02T11:40:57.837Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix constant blinding for PROBE_MEM32 stores\n\nBPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by\nbpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to\nsurvive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.\n\nThe root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM\nto BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,\nbefore bpf_jit_blind_constants() runs during JIT compilation. The\nblinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not\nBPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through\nunblinded.\n\nAdd BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the\nexisting BPF_ST|BPF_MEM cases. The blinding transformation is identical:\nload the blinded immediate into BPF_REG_AX via mov+xor, then convert\nthe immediate store to a register store (BPF_STX).\n\nThe rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so\nthe architecture JIT emits the correct arena addressing (R12-based on\nx86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes\nBPF_MEM mode; construct the instruction directly instead."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/core.c"], "versions": [{"version": "6082b6c328b5486da2b356eae94b8b83c98b5565", "lessThan": "56af722756ed82fee2ae5d5b4d04743407506195", "status": "affected", "versionType": "git"}, {"version": "6082b6c328b5486da2b356eae94b8b83c98b5565", "lessThan": "ccbf29b28b5554f9d65b2fb53b994673ad58b3bf", "status": "affected", "versionType": "git"}, {"version": "6082b6c328b5486da2b356eae94b8b83c98b5565", "lessThan": "de641ea08f8fff6906e169d2576c2ac54e562fbb", "status": "affected", "versionType": "git"}, {"version": "6082b6c328b5486da2b356eae94b8b83c98b5565", "lessThan": "2321a9596d2260310267622e0ad8fbfa6f95378f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/core.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195"}, {"url": "https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf"}, {"url": "https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb"}, {"url": "https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f"}], "title": "bpf: Fix constant blinding for PROBE_MEM32 stores", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix constant blinding for PROBE_MEM32 stores\n\nBPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by\nbpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to\nsurvive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.\n\nThe root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM\nto BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,\nbefore bpf_jit_blind_constants() runs during JIT compilation. The\nblinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not\nBPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through\nunblinded.\n\nAdd BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the\nexisting BPF_ST|BPF_MEM cases. The blinding transformation is identical:\nload the blinded immediate into BPF_REG_AX via mov+xor, then convert\nthe immediate store to a register store (BPF_STX).\n\nThe rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so\nthe architecture JIT emits the correct arena addressing (R12-based on\nx86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes\nBPF_MEM mode; construct the instruction directly instead."}], "id": "CVE-2026-23417", "lastModified": "2026-04-02T12:16:21.097", "metrics": {}, "published": "2026-04-02T12:16:21.097", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}