CVE-2026-23417

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix constant blinding for PROBE_MEM32 stores<br /> <br /> BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by<br /> bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to<br /> survive unblinded into JIT-compiled native code when bpf_jit_harden &gt;= 1.<br /> <br /> The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM<br /> to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,<br /> before bpf_jit_blind_constants() runs during JIT compilation. The<br /> blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not<br /> BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through<br /> unblinded.<br /> <br /> Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the<br /> existing BPF_ST|BPF_MEM cases. The blinding transformation is identical:<br /> load the blinded immediate into BPF_REG_AX via mov+xor, then convert<br /> the immediate store to a register store (BPF_STX).<br /> <br /> The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so<br /> the architecture JIT emits the correct arena addressing (R12-based on<br /> x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes<br /> BPF_MEM mode; construct the instruction directly instead.