Skip to main content

Linux CVE-2026-23417

| EUVDEUVD-2026-18200 MEDIUM
2026-04-02 Linux GHSA-3j46-wx9h-x693
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 12:00 euvd
EUVD-2026-18200
Analysis Generated
Apr 02, 2026 - 12:00 vuln.today
CVE Published
Apr 02, 2026 - 11:40 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix constant blinding for PROBE_MEM32 stores

BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.

The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification, before bpf_jit_blind_constants() runs during JIT compilation. The blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through unblinded.

Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the existing BPF_ST|BPF_MEM cases. The blinding transformation is identical: load the blinded immediate into BPF_REG_AX via mov+xor, then convert the immediate store to a register store (BPF_STX).

The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes BPF_MEM mode; construct the instruction directly instead.

AnalysisAI

Unblinded BPF immediate values in PROBE_MEM32 stores bypass constant hardening in the Linux kernel BPF JIT compiler when bpf_jit_harden >= 1, allowing user-controlled 32-bit immediates to leak into native code. The vulnerability affects Linux kernel versions where convert_ctx_accesses() rewrites arena pointer stores to BPF_ST|BPF_PROBE_MEM32 before constant blinding runs, but bpf_jit_blind_insn() only handles BPF_ST|BPF_MEM instructions. No public exploit code or active exploitation has been ide

Technical ContextAI

The Linux kernel BPF JIT compiler uses constant blinding (bpf_jit_blind_constants) to harden against JIT spray attacks by transforming user-controlled immediate values into obfuscated register operations. The vulnerability exists in the BPF instruction rewriting pipeline: during verification, convert_ctx_accesses() transforms BPF_ST|BPF_MEM instructions to BPF_ST|BPF_PROBE_MEM32 (instruction mode 0xa0 vs 0x60) when handling arena pointer stores. The constant blinding function bpf_jit_blind_insn() only matches the original BPF_ST|BPF_MEM mode and ignores the rewritten BPF_PROBE_MEM32 variant, causing the immediate value to pass through unblinded. The PROBE_MEM32 mode is semantically distinct-it uses arena-specific addressing (R12-based on x86-64)-requiring that the blinding transformation preserve this mode by constructing BPF_STX|BPF_PROBE_MEM32 instructions directly rather than using standard macros that hardcode BPF_MEM. This is rooted in incomplete instruction coverage in the blinding logic (CWE-1025: Comparison Using Wrong Factors or similar hardening bypass class).

RemediationAI

Apply the upstream Linux kernel fix commits 56af722756ed82fee2ae5d5b4d04743407506195, ccbf29b28b5554f9d65b2fb53b994673ad58b3bf, de641ea08f8fff6906e169d2576c2ac54e562fbb, or 2321a9596d2260310267622e0ad8fbfa6f95378f to bpf_jit_blind_insn() to add BPF_ST|BPF_PROBE_MEM32 case handling alongside existing BPF_ST|BPF_MEM cases. The fix ensures unblinded immediates are transformed to blinded register operations via BPF_REG_AX (move+xor), then converted to BPF_STX|BPF_PROBE_MEM32 stores that preserve arena addressing semantics. For end users, upgrade to the latest stable kernel version containing these commits; most distributions have backported the fix into maintained kernel versions (6.8, 6.9, 6.10 series and later). Verify that bpf_jit_harden is enabled (cat /proc/sys/net/core/bpf_jit_harden should show 1 or 2) to confirm hardening is active. See git.kernel.org stable branch commits for patch details.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid vulnerable 6.19.10-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23417 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy