CVE-2026-45886 Linux CVE debrief

Who should care

Organizations running XDP-based networking solutions, particularly Cilium users leveraging read-only BPF maps, and Linux kernel maintainers responsible for BPF subsystem stability.

Technical summary

The bpf_xdp_store_bytes helper function in the Linux kernel had an incorrect prototype that specified ARG_PTR_TO_UNINIT_MEM for its source data argument. This type includes MEM_WRITE semantics, causing the BPF verifier to incorrectly reject programs passing read-only map values to this helper. The verifier's check_mem_size_reg function would detect the BPF_WRITE flag and fail when R3 pointed to a BPF_F_RDONLY_PROG map. The fix changes the expected argument type to match bpf_skb_store_bytes, resolving both the false rejection of legitimate programs and the potential for reading uninitialized memory.

Defensive priority

medium

Recommended defensive actions

• Review BPF programs using bpf_xdp_store_bytes to ensure they function correctly after kernel updates
• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor for any BPF program loading failures after kernel upgrades that may indicate verifier behavior changes
• Consider testing XDP programs with read-only map configurations to verify correct operation

Evidence notes

The vulnerability description indicates this was discovered during Cilium development when making maps read-only from the BPF side. The verifier error 'write into map forbidden' demonstrates the incorrect access check. Multiple stable kernel commits are referenced, indicating backports to various kernel versions.

Official resources