CVE-2026-23417

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix constant blinding for PROBE_MEM32 stores

BPFST | BPFPROBEMEM32 immediate stores are not handled by bpfjitblindinsn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpfjitharden >= 1.

The root cause is that convertctxaccesses() rewrites BPFST|BPFMEM to BPFST|BPFPROBEMEM32 for arena pointer stores during verification, before bpfjitblindconstants() runs during JIT compilation. The blinding switch only matches BPFST|BPFMEM (mode 0x60), not BPFST|BPFPROBE_MEM32 (mode 0xa0). The instruction falls through unblinded.

Add BPFST|BPFPROBEMEM32 cases to bpfjitblindinsn() alongside the existing BPFST|BPFMEM cases. The blinding transformation is identical: load the blinded immediate into BPFREGAX via mov+xor, then convert the immediate store to a register store (BPF_STX).

The rewritten STX instruction must preserve the BPFPROBEMEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPFSTXMEM() macro here because it hardcodes BPF_MEM mode; construct the instruction directly instead.