CVE-2026-45967 Linux CVE debrief

Who should care

Linux kernel administrators, container platform operators, security teams monitoring eBPF-based security tools, and organizations running workloads that utilize BPF instruction array maps for packet filtering, tracing, or security enforcement.

Technical summary

The vulnerability exists in the BPF (Berkeley Packet Filter) subsystem's instruction array map implementation. Specifically, `map_direct_value_addr()` incorrectly adds an offset parameter to the returned address when handling non-zero offsets. However, the caller `resolve_pseudo_ldimm64()` also adds this same offset later in the code path. This results in a double-offset application, causing BPF programs to compute incorrect addresses for instruction array map values. The bug could manifest as reading from or writing to unintended kernel memory locations. The fix removes the erroneous offset addition from `map_direct_value_addr()`, ensuring the offset is applied exactly once by `resolve_pseudo_ldimm64()`. Corresponding selftests were added to prevent regression.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patches from the Linux kernel stable tree to remove the erroneous offset handling in map_direct_value_addr()
• Rebuild and deploy updated kernel with patched BPF subsystem
• Verify BPF program loading and execution behavior post-patch, particularly for instruction array maps with non-zero offsets
• Monitor for any anomalous BPF-related kernel messages or crashes that could indicate exploitation attempts
• If running containerized workloads using BPF, validate that security policies and observability tools continue to function correctly after kernel update

Evidence notes

Vulnerability description confirms double-offset bug in BPF instruction array map. Two kernel.org stable branch commits provided as references. No CVSS score assigned; NVD status is 'Awaiting Analysis'.

Official resources