{"api_version":"1","generated_at":"2026-04-20T17:46:27+00:00","cve":"CVE-2026-23417","urls":{"html":"https://cve.report/CVE-2026-23417","api":"https://cve.report/api/cve/CVE-2026-23417.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23417","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23417"},"summary":{"title":"bpf: Fix constant blinding for PROBE_MEM32 stores","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix constant blinding for PROBE_MEM32 stores\n\nBPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by\nbpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to\nsurvive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.\n\nThe root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM\nto BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,\nbefore bpf_jit_blind_constants() runs during JIT compilation. The\nblinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not\nBPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through\nunblinded.\n\nAdd BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the\nexisting BPF_ST|BPF_MEM cases. The blinding transformation is identical:\nload the blinded immediate into BPF_REG_AX via mov+xor, then convert\nthe immediate store to a register store (BPF_STX).\n\nThe rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so\nthe architecture JIT emits the correct arena addressing (R12-based on\nx86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes\nBPF_MEM mode; construct the instruction directly instead.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-02 12:16:21","updated_at":"2026-04-03 16:10:52"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf","name":"https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb","name":"https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f","name":"https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195","name":"https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23417","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23417","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6082b6c328b5486da2b356eae94b8b83c98b5565 56af722756ed82fee2ae5d5b4d04743407506195 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6082b6c328b5486da2b356eae94b8b83c98b5565 ccbf29b28b5554f9d65b2fb53b994673ad58b3bf git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6082b6c328b5486da2b356eae94b8b83c98b5565 de641ea08f8fff6906e169d2576c2ac54e562fbb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6082b6c328b5486da2b356eae94b8b83c98b5565 2321a9596d2260310267622e0ad8fbfa6f95378f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.9","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.80 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.21 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.11 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0-rc5 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23417","cve":"CVE-2026-23417","epss":"0.000180000","percentile":"0.044270000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/bpf/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"56af722756ed82fee2ae5d5b4d04743407506195","status":"affected","version":"6082b6c328b5486da2b356eae94b8b83c98b5565","versionType":"git"},{"lessThan":"ccbf29b28b5554f9d65b2fb53b994673ad58b3bf","status":"affected","version":"6082b6c328b5486da2b356eae94b8b83c98b5565","versionType":"git"},{"lessThan":"de641ea08f8fff6906e169d2576c2ac54e562fbb","status":"affected","version":"6082b6c328b5486da2b356eae94b8b83c98b5565","versionType":"git"},{"lessThan":"2321a9596d2260310267622e0ad8fbfa6f95378f","status":"affected","version":"6082b6c328b5486da2b356eae94b8b83c98b5565","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["kernel/bpf/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.9"},{"lessThan":"6.9","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.80","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.21","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0-rc5","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.80","versionStartIncluding":"6.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"6.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"6.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0-rc5","versionStartIncluding":"6.9","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix constant blinding for PROBE_MEM32 stores\n\nBPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by\nbpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to\nsurvive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.\n\nThe root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM\nto BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,\nbefore bpf_jit_blind_constants() runs during JIT compilation. The\nblinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not\nBPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through\nunblinded.\n\nAdd BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the\nexisting BPF_ST|BPF_MEM cases. The blinding transformation is identical:\nload the blinded immediate into BPF_REG_AX via mov+xor, then convert\nthe immediate store to a register store (BPF_STX).\n\nThe rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so\nthe architecture JIT emits the correct arena addressing (R12-based on\nx86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes\nBPF_MEM mode; construct the instruction directly instead."}],"providerMetadata":{"dateUpdated":"2026-04-02T11:40:57.837Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195"},{"url":"https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf"},{"url":"https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb"},{"url":"https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f"}],"title":"bpf: Fix constant blinding for PROBE_MEM32 stores","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23417","datePublished":"2026-04-02T11:40:57.837Z","dateReserved":"2026-01-13T15:37:46.014Z","dateUpdated":"2026-04-02T11:40:57.837Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-02 12:16:21","lastModifiedDate":"2026-04-03 16:10:52","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23417","Ordinal":"1","Title":"bpf: Fix constant blinding for PROBE_MEM32 stores","CVE":"CVE-2026-23417","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23417","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix constant blinding for PROBE_MEM32 stores\n\nBPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by\nbpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to\nsurvive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.\n\nThe root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM\nto BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,\nbefore bpf_jit_blind_constants() runs during JIT compilation. The\nblinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not\nBPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through\nunblinded.\n\nAdd BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the\nexisting BPF_ST|BPF_MEM cases. The blinding transformation is identical:\nload the blinded immediate into BPF_REG_AX via mov+xor, then convert\nthe immediate store to a register store (BPF_STX).\n\nThe rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so\nthe architecture JIT emits the correct arena addressing (R12-based on\nx86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes\nBPF_MEM mode; construct the instruction directly instead.","Type":"Description","Title":"bpf: Fix constant blinding for PROBE_MEM32 stores"}]}}}