CVE-2026-45886

Source
https://cve.org/CVERecord?id=CVE-2026-45886
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45886.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-45886
Downstream
Related
Published
2026-05-27T12:16:58Z
Modified
2026-06-27T11:55:05.961066382Z
Summary
bpf: Fix bpf_xdp_store_bytes proto for read-only arg
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix bpfxdpstore_bytes proto for read-only arg

While making some maps in Cilium read-only from the BPF side, we noticed that the bpfxdpstore_bytes proto is incorrect. In particular, the verifier was throwing the following error:

; ret = ctxstorebytes(ctx, l3off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpfxdpstorebytes#190 write into map forbidden, value_size=6 off=0 size=4

nat comes from a BPFFRDONLYPROG map, so R3 is a PTRTOMAPVALUE. The verifier checks the helper's memory access to R3 in checkmemsizereg, as it reaches ARGCONSTSIZE argument. The third argument has expected type ARGPTRTOUNINITMEM, which includes the MEMWRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails.

Conversely, ARGPTRTOUNINITMEM can also lead to the helper reading from uninitialized memory.

This patch simply fixes the expected argument type to match that of bpfskbstore_bytes.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45886.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3f364222d032eea6b245780e845ad213dab28cdd
Fixed
ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e
Fixed
ddc34a1b85505c919026ddc82fafdada9a160b15
Fixed
0db169a91381a473b7974021d1c02f8da72c5775
Fixed
d7b87adeb0eb539b9b824b101bb14fb01e41240b
Fixed
57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52
Fixed
6557f1565d779851c4db9c488c49c05a47a6e72f

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45886.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
6.1.165
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45886.json"