CVE-2026-45886
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
27/05/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bpf: Fix bpf_xdp_store_bytes proto for read-only arg<br />
<br />
While making some maps in Cilium read-only from the BPF side, we noticed<br />
that the bpf_xdp_store_bytes proto is incorrect. In particular, the<br />
verifier was throwing the following error:<br />
<br />
; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr),<br />
&nat->address, 4, 0);<br />
635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx()<br />
636: (b4) w2 = 26 ; R2=26<br />
637: (b4) w4 = 4 ; R4=4<br />
638: (b4) w5 = 0 ; R5=0<br />
639: (85) call bpf_xdp_store_bytes#190<br />
write into map forbidden, value_size=6 off=0 size=4<br />
<br />
nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE.<br />
The verifier checks the helper&#39;s memory access to R3 in<br />
check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third<br />
argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the<br />
MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3.<br />
Given R3 points to a read-only map, the check fails.<br />
<br />
Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading<br />
from uninitialized memory.<br />
<br />
This patch simply fixes the expected argument type to match that of<br />
bpf_skb_store_bytes.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0db169a91381a473b7974021d1c02f8da72c5775
- https://git.kernel.org/stable/c/57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52
- https://git.kernel.org/stable/c/6557f1565d779851c4db9c488c49c05a47a6e72f
- https://git.kernel.org/stable/c/d7b87adeb0eb539b9b824b101bb14fb01e41240b
- https://git.kernel.org/stable/c/ddc34a1b85505c919026ddc82fafdada9a160b15
- https://git.kernel.org/stable/c/ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e



