{ "affected": [ { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:13", "name": "linux" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:14", "name": "linux" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] } ], "details": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix constant blinding for PROBE_MEM32 stores BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden \u003e= 1. The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification, before bpf_jit_blind_constants() runs during JIT compilation. The blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through unblinded. Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the existing BPF_ST|BPF_MEM cases. The blinding transformation is identical: load the blinded immediate into BPF_REG_AX via mov+xor, then convert the immediate store to a register store (BPF_STX). The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes BPF_MEM mode; construct the instruction directly instead.", "id": "DEBIAN-CVE-2026-23417", "modified": "2026-04-03T09:48:29.669457848Z", "published": "2026-04-02T12:16:21.097Z", "references": [ { "type": "ADVISORY", "url": "https://security-tracker.debian.org/tracker/CVE-2026-23417" } ], "upstream": [ "CVE-2026-23417" ] }