CVE-2026-45903
Awaiting Analysis Awaiting Analysis - Queue
Memory Access Flag Fix in Linux Kernel BPF

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix memory access flags in helper prototypes After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking"), the verifier started relying on the access type flags in helper function prototypes to perform memory access optimizations. Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues. For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM which correctly indicates write access to potentially uninitialized memory. Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer") and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name args"). Fix these prototypes by adding the correct memory access flags.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45903
EUVD
EUVD-2026-32369
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) verifier related to memory access flags in helper function prototypes.

After a certain commit, the verifier started relying on access type flags (such as MEM_RDONLY or MEM_WRITE) in helper functions to optimize memory access. However, some helper functions using ARG_PTR_TO_MEM were missing these flags.

Because of this omission, the verifier incorrectly assumed that buffer contents remained unchanged across helper calls, which could lead to it optimizing away necessary reads and causing correctness issues.

Specifically, for the helper bpf_get_stack_proto_raw_tp, the original flag indicated read-only access, but the helper actually writes to the buffer. The fix involved changing the flag to correctly indicate write access to potentially uninitialized memory.

Overall, the vulnerability is about incorrect memory access assumptions in the BPF verifier due to missing or incorrect memory access flags in helper prototypes.

Impact Analysis

This vulnerability can lead to correctness issues in the Linux kernel's BPF verifier.

Because the verifier may incorrectly assume that buffer contents do not change across helper calls, it might optimize away necessary memory reads.

Such incorrect optimizations could cause unexpected behavior or bugs in programs relying on BPF, potentially affecting system stability or security depending on how BPF programs are used.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45903. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart