CVE-2026-23417

MEDIUM EPSS 1.9%
Published Apr 2, 20263mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 2, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix constant blinding for PROBE_MEM32 stores BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1. The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification, before bpf_jit_blind_constants() runs during JIT compilation. The blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through unblinded. Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the existing BPF_ST|BPF_MEM cases. The blinding transformation is identical: load the blinded immediate into BPF_REG_AX via mov+xor, then convert the immediate store to a register store (BPF_STX). The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes BPF_MEM mode; construct the instruction directly instead.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 11

VendorProductVersionRange
linuxlinux_kernel*≥6.9.1  –  <6.12.80
linuxlinux_kernel*≥6.13  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel6.9any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 4

  • git.kernel.org https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb
    Patch