In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix bpfxdpstore_bytes proto for read-only arg
While making some maps in Cilium read-only from the BPF side, we noticed that the bpfxdpstore_bytes proto is incorrect. In particular, the verifier was throwing the following error:
; ret = ctxstorebytes(ctx, l3off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpfxdpstorebytes#190 write into map forbidden, value_size=6 off=0 size=4
nat comes from a BPFFRDONLYPROG map, so R3 is a PTRTOMAPVALUE. The verifier checks the helper's memory access to R3 in checkmemsizereg, as it reaches ARGCONSTSIZE argument. The third argument has expected type ARGPTRTOUNINITMEM, which includes the MEMWRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails.
Conversely, ARGPTRTOUNINITMEM can also lead to the helper reading from uninitialized memory.
This patch simply fixes the expected argument type to match that of bpfskbstore_bytes.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45886.json"
}