{"api_version":"1","generated_at":"2026-06-05T04:30:38+00:00","cve":"CVE-2026-45903","urls":{"html":"https://cve.report/CVE-2026-45903","api":"https://cve.report/api/cve/CVE-2026-45903.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45903","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45903"},"summary":{"title":"bpf: Fix memory access flags in helper prototypes","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memory access flags in helper prototypes\n\nAfter commit 37cce22dbd51 (\"bpf: verifier: Refactor helper access type tracking\"),\nthe verifier started relying on the access type flags in helper\nfunction prototypes to perform memory access optimizations.\n\nCurrently, several helper functions utilizing ARG_PTR_TO_MEM lack the\ncorresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the\nverifier to incorrectly assume that the buffer contents are unchanged\nacross the helper call. Consequently, the verifier may optimize away\nsubsequent reads based on this wrong assumption, leading to correctness\nissues.\n\nFor bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect\nsince the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM\nwhich correctly indicates write access to potentially uninitialized memory.\n\nSimilar issues were recently addressed for specific helpers in commit\nac44dcc788b9 (\"bpf: Fix verifier assumptions of bpf_d_path's output buffer\")\nand commit 2eb7648558a7 (\"bpf: Specify access type of bpf_sysctl_get_name args\").\n\nFix these prototypes by adding the correct memory access flags.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:04","updated_at":"2026-05-27 14:48:31"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/aa319592892068bd960c1a1c07bd621085b0c63d","name":"https://git.kernel.org/stable/c/aa319592892068bd960c1a1c07bd621085b0c63d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/802eef5afb1865bc5536a5302c068ba2215a1f72","name":"https://git.kernel.org/stable/c/802eef5afb1865bc5536a5302c068ba2215a1f72","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fdfe75161f6e8c41a7d3023fbb815b537107b806","name":"https://git.kernel.org/stable/c/fdfe75161f6e8c41a7d3023fbb815b537107b806","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45903","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45903","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb fdfe75161f6e8c41a7d3023fbb815b537107b806 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb aa319592892068bd960c1a1c07bd621085b0c63d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb 802eef5afb1865bc5536a5302c068ba2215a1f72 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.14","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.14 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.14 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45903","cve":"CVE-2026-45903","epss":"0.000170000","percentile":"0.042650000","score_date":"2026-06-01","updated_at":"2026-06-02 00:05:21"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/bpf/helpers.c","kernel/bpf/syscall.c","kernel/trace/bpf_trace.c","net/core/filter.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"fdfe75161f6e8c41a7d3023fbb815b537107b806","status":"affected","version":"37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb","versionType":"git"},{"lessThan":"aa319592892068bd960c1a1c07bd621085b0c63d","status":"affected","version":"37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb","versionType":"git"},{"lessThan":"802eef5afb1865bc5536a5302c068ba2215a1f72","status":"affected","version":"37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["kernel/bpf/helpers.c","kernel/bpf/syscall.c","kernel/trace/bpf_trace.c","net/core/filter.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.14"},{"lessThan":"6.14","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.14","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.14","versionStartIncluding":"6.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"6.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.14","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memory access flags in helper prototypes\n\nAfter commit 37cce22dbd51 (\"bpf: verifier: Refactor helper access type tracking\"),\nthe verifier started relying on the access type flags in helper\nfunction prototypes to perform memory access optimizations.\n\nCurrently, several helper functions utilizing ARG_PTR_TO_MEM lack the\ncorresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the\nverifier to incorrectly assume that the buffer contents are unchanged\nacross the helper call. Consequently, the verifier may optimize away\nsubsequent reads based on this wrong assumption, leading to correctness\nissues.\n\nFor bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect\nsince the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM\nwhich correctly indicates write access to potentially uninitialized memory.\n\nSimilar issues were recently addressed for specific helpers in commit\nac44dcc788b9 (\"bpf: Fix verifier assumptions of bpf_d_path's output buffer\")\nand commit 2eb7648558a7 (\"bpf: Specify access type of bpf_sysctl_get_name args\").\n\nFix these prototypes by adding the correct memory access flags."}],"providerMetadata":{"dateUpdated":"2026-05-27T12:17:11.382Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/fdfe75161f6e8c41a7d3023fbb815b537107b806"},{"url":"https://git.kernel.org/stable/c/aa319592892068bd960c1a1c07bd621085b0c63d"},{"url":"https://git.kernel.org/stable/c/802eef5afb1865bc5536a5302c068ba2215a1f72"}],"title":"bpf: Fix memory access flags in helper prototypes","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45903","datePublished":"2026-05-27T12:17:11.382Z","dateReserved":"2026-05-13T15:03:33.084Z","dateUpdated":"2026-05-27T12:17:11.382Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:04","lastModifiedDate":"2026-05-27 14:48:31","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45903","Ordinal":"1","Title":"bpf: Fix memory access flags in helper prototypes","CVE":"CVE-2026-45903","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45903","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memory access flags in helper prototypes\n\nAfter commit 37cce22dbd51 (\"bpf: verifier: Refactor helper access type tracking\"),\nthe verifier started relying on the access type flags in helper\nfunction prototypes to perform memory access optimizations.\n\nCurrently, several helper functions utilizing ARG_PTR_TO_MEM lack the\ncorresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the\nverifier to incorrectly assume that the buffer contents are unchanged\nacross the helper call. Consequently, the verifier may optimize away\nsubsequent reads based on this wrong assumption, leading to correctness\nissues.\n\nFor bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect\nsince the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM\nwhich correctly indicates write access to potentially uninitialized memory.\n\nSimilar issues were recently addressed for specific helpers in commit\nac44dcc788b9 (\"bpf: Fix verifier assumptions of bpf_d_path's output buffer\")\nand commit 2eb7648558a7 (\"bpf: Specify access type of bpf_sysctl_get_name args\").\n\nFix these prototypes by adding the correct memory access flags.","Type":"Description","Title":"bpf: Fix memory access flags in helper prototypes"}]}}}