bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing

CVE	CVE-2026-23383
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-03-25 11:16:38 UTC
Updated	2026-04-02 15:16:32 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary. This leads to two issues: 1. UBSAN reports misaligned-access warnings when dereferencing the structure. 2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address. Fix this by increasing the allocation alignment requirement to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of the JIT buffer to an 8-byte boundary, allowing the relative padding math in build_plt() to correctly align the target field.

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000130000 probability, percentile 0.022870000 (date 2026-04-04)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected b2ad54e1533e91449cb2a371e034942bd7882b58 80ad264da02cc4aee718e799c2b79f0f834673dc git	Not specified
CNA	Linux	Linux	affected b2ad54e1533e91449cb2a371e034942bd7882b58 519b1ad91de5bf7a496f2b858e9212db6328e1de git	Not specified
CNA	Linux	Linux	affected b2ad54e1533e91449cb2a371e034942bd7882b58 66959ed481a474eaae278c7f6860a2a9b188a4d6 git	Not specified
CNA	Linux	Linux	affected b2ad54e1533e91449cb2a371e034942bd7882b58 ef06fd16d48704eac868441d98d4ef083d8f3d07 git	Not specified
CNA	Linux	Linux	affected 6.0	Not specified
CNA	Linux	Linux	unaffected 6.0 semver	Not specified
CNA	Linux	Linux	unaffected 6.12.77 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.17 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.7 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0-rc2 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/ef06fd16d48704eac868441d98d4ef083d8f3d07	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/80ad264da02cc4aee718e799c2b79f0f834673dc	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/66959ed481a474eaae278c7f6860a2a9b188a4d6	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/519b1ad91de5bf7a496f2b858e9212db6328e1de	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.