CVE-2026-45903 Linux CVE debrief

Who should care

Organizations running Linux systems with eBPF/BPF workloads, particularly those using custom BPF programs or relying on kernel BPF helpers for stack traces, sysctl operations, or path resolution. Cloud providers and container platforms using eBPF for observability, security, or networking should prioritize kernel updates.

Technical summary

The Linux kernel BPF verifier relies on memory access type flags in helper function prototypes to perform optimizations. Several helpers using ARG_PTR_TO_MEM lacked proper MEM_RDONLY or MEM_WRITE flags, causing the verifier to incorrectly assume buffer contents were unchanged across helper calls. This could lead to incorrect optimization of subsequent reads. The fix adds correct memory access flags to helper prototypes, including changing bpf_get_stack_proto_raw_tp from MEM_RDONLY to ARG_PTR_TO_UNINIT_MEM to properly indicate write access to potentially uninitialized memory.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing commits 802eef5afb1865bc5536a5302c068ba2215a1f72 (mainline) and stable backports aa319592892068bd960c1a1c07bd621085b0c63d, fdfe75161f6e8c41a7d3023fbb815b537107b806
• Monitor for kernel security advisories from distribution maintainers
• Validate BPF program behavior after kernel updates if running custom eBPF workloads
• Review custom BPF helper usage for reliance on verifier memory optimization assumptions

Evidence notes

CVE published 2026-05-27. Kernel commit 802eef5afb1865bc5536a5302c068ba2215a1f72 and related stable backports (aa319592892068bd960c1a1c07bd621085b0c63d, fdfe75161f6e8c41a7d3023fbb815b537107b806) contain the fix. Issue introduced after commit 37cce22dbd51 which added verifier reliance on access type flags. Related prior fixes in commits ac44dcc788b9 and 2eb7648558a7 addressed similar issues for bpf_d_path and bpf_sysctl_get_name.

Official resources