CVE-2026-45927
Awaiting Analysis Awaiting Analysis - Queue
BPF Map Hash Calculation Requires Frozen State in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Require frozen map for calculating map hash Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map's frozen state. This leads to a TOCTOU bug where userspace can call BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map contents before freezing. Therefore, a trusted loader can be tricked into verifying the stale hash while loading the modified contents. Fix this by returning -EPERM if the map is not frozen when the hash is requested. This ensures the hash is only generated for the final, immutable state of the map.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45927
EUVD
EUVD-2026-32393
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) subsystem. The issue is that the function bpf_map_get_info_by_fd calculates and caches a hash of a map without checking if the map is frozen (immutable). Because of this, there is a time-of-check to time-of-use (TOCTOU) bug where userspace can retrieve and cache the hash of the map, then modify the map's contents before freezing it. This allows a trusted loader to be tricked into verifying a stale hash while loading modified map contents.

The fix for this vulnerability is to require that the map be frozen before the hash is calculated. If the map is not frozen, the function returns an error (-EPERM), ensuring the hash is only generated for the final, immutable state of the map.

Impact Analysis

This vulnerability can allow an attacker or untrusted userspace process to trick a trusted loader into accepting a stale hash for a BPF map while the actual contents of the map have been modified. This can lead to the loading of unauthorized or malicious map contents, potentially compromising system integrity or security.

Mitigation Strategies

The vulnerability is resolved by requiring that the BPF map be frozen before calculating its hash, preventing TOCTOU attacks.

Immediate mitigation steps include ensuring your Linux kernel is updated to a version that includes this fix, which returns -EPERM if the map is not frozen when the hash is requested.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45927. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart