CVE-2026-23417
Received Received - Intake
BPF JIT Constant Blinding Bypass in Linux Kernel Fixed

Publication date: 2026-04-02

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix constant blinding for PROBE_MEM32 stores BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1. The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification, before bpf_jit_blind_constants() runs during JIT compilation. The blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through unblinded. Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the existing BPF_ST|BPF_MEM cases. The blinding transformation is identical: load the blinded immediate into BPF_REG_AX via mov+xor, then convert the immediate store to a register store (BPF_STX). The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes BPF_MEM mode; construct the instruction directly instead.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-04-02
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23417
EUVD
EUVD-2026-18200
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.9
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.9.1 (inc) to 6.12.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) JIT compilation process. Specifically, certain BPF instructions that store 32-bit immediate values (BPF_ST | BPF_PROBE_MEM32) are not properly 'blinded' or obfuscated during JIT compilation when the bpf_jit_harden setting is enabled. This happens because the blinding function only handles BPF_ST | BPF_MEM instructions but misses the BPF_PROBE_MEM32 variant. As a result, user-controlled immediate values can remain unblinded in the compiled native code, potentially exposing sensitive data or enabling exploitation.

The root cause is that during verification, some instructions are rewritten from BPF_ST|BPF_MEM to BPF_ST|BPF_PROBE_MEM32, but the blinding logic does not account for this change. The fix involves adding handling for BPF_PROBE_MEM32 cases in the blinding function to ensure these immediate values are properly obfuscated before execution.


How can this vulnerability impact me? :

Because user-controlled 32-bit immediate values can survive unblinded in JIT-compiled code, an attacker might exploit this to leak sensitive information or manipulate the behavior of the kernel in unintended ways. This could lead to security issues such as information disclosure or privilege escalation depending on how the BPF programs are used.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart