CVE-2026-45927 Linux CVE debrief

Who should care

Linux system administrators, kernel security teams, developers of trusted loading mechanisms for BPF programs, and organizations relying on BPF map hash integrity for supply chain or attestation workflows

Technical summary

The Linux kernel's bpf_map_get_info_by_fd function previously calculated and cached BPF map hashes regardless of whether the map was frozen (immutable). This created a TOCTOU window where userspace could: (1) call BPF_OBJ_GET_INFO_BY_FD to cache the hash, (2) modify map contents, and (3) present the modified map with the now-stale hash to a trusted loader. The fix returns -EPERM when hash calculation is requested for unfrozen maps, ensuring hashes only represent final immutable states.

Defensive priority

medium

Recommended defensive actions

• Audit systems for unpatched Linux kernels with BPF map hash functionality
• Review trusted loader implementations that rely on BPF map hashes for integrity verification
• Apply kernel updates containing the referenced stable commits when available
• Consider additional integrity verification mechanisms beyond BPF map hashes for security-critical loading scenarios

Evidence notes

The vulnerability description indicates this was resolved in the Linux kernel by requiring frozen map state before hash calculation. Multiple stable kernel commits are referenced. No CVSS score or severity has been assigned by NVD as of the modified date.

Official resources