bpf: Fix bpf_xdp_store_bytes proto for read-only arg

Summary

CVE	CVE-2026-45886
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-27 14:17:02 UTC
Updated	2026-05-27 14:48:31 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_xdp_store_bytes proto for read-only arg While making some maps in Cilium read-only from the BPF side, we noticed that the bpf_xdp_store_bytes proto is incorrect. In particular, the verifier was throwing the following error: ; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = (u64 )(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpf_xdp_store_bytes#190 write into map forbidden, value_size=6 off=0 size=4 nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE. The verifier checks the helper's memory access to R3 in check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails. Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading from uninitialized memory. This patch simply fixes the expected argument type to match that of bpf_skb_store_bytes.

Risk And Classification

EPSS: 0.000240000 probability, percentile 0.073730000 (date 2026-05-31)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 3f364222d032eea6b245780e845ad213dab28cdd ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e git	Not specified
CNA	Linux	Linux	affected 3f364222d032eea6b245780e845ad213dab28cdd ddc34a1b85505c919026ddc82fafdada9a160b15 git	Not specified
CNA	Linux	Linux	affected 3f364222d032eea6b245780e845ad213dab28cdd 0db169a91381a473b7974021d1c02f8da72c5775 git	Not specified
CNA	Linux	Linux	affected 3f364222d032eea6b245780e845ad213dab28cdd d7b87adeb0eb539b9b824b101bb14fb01e41240b git	Not specified
CNA	Linux	Linux	affected 3f364222d032eea6b245780e845ad213dab28cdd 57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52 git	Not specified
CNA	Linux	Linux	affected 3f364222d032eea6b245780e845ad213dab28cdd 6557f1565d779851c4db9c488c49c05a47a6e72f git	Not specified
CNA	Linux	Linux	affected 5.18	Not specified
CNA	Linux	Linux	unaffected 5.18 semver	Not specified
CNA	Linux	Linux	unaffected 6.1.165 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.128 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.75 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.14 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.4 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/6557f1565d779851c4db9c488c49c05a47a6e72f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/0db169a91381a473b7974021d1c02f8da72c5775	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ddc34a1b85505c919026ddc82fafdada9a160b15	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d7b87adeb0eb539b9b824b101bb14fb01e41240b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.