VYPR
← All advisories
High severity7.8NVD Advisory· Published Mar 25, 2026· Updated Apr 24, 2026

CVE-2026-23383

CVE-2026-23383

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing

struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT buffer.

Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary.

This leads to two issues: 1. UBSAN reports misaligned-access warnings when dereferencing the structure. 2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address.

Fix this by increasing the allocation alignment requirement to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of the JIT buffer to an 8-byte boundary, allowing the relative padding math in build_plt() to correctly align the target field.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel BPF JIT for arm64, insufficient buffer alignment (4 bytes) can cause torn reads of a u64 target field, leading to potential code execution.

Vulnerability

The BPF JIT allocator for arm64 in the Linux kernel requests only 4-byte alignment for the JIT buffer, while the struct bpf_plt contains a u64 target field that requires 8-byte alignment for atomic operations. Because the base address can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the padding logic in build_plt() fails to guarantee that the target field lands on an 8-byte boundary. This results in two issues: UBSAN reports misaligned-access warnings, and more critically, the target field is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while JIT'd code executes an attacker can trigger a torn read of the 64-bit value, causing the JIT to jump to a corrupted address [1][2].

Exploitation

An attacker with the ability to load and execute BPF programs (typically requiring CAP_BPF or root privileges) can exploit this vulnerability. The attack surface is local, as BPF programs are loaded from userspace. No special network access is needed. The prerequisite is that the system runs an arm64 kernel with the BPF JIT enabled. The attacker crafts a BPF program that triggers the misaligned access, leading to a torn read of the target pointer during a concurrent update [3].

Impact

A successful exploit could allow an attacker to redirect execution to an arbitrary address, potentially leading to arbitrary code execution in kernel context. This could result in full system compromise, including privilege escalation and bypass of security mechanisms. The CVSS v3 score of 7.8 (High)8 (High) reflects the high impact on confidentiality, integrity and availability, though the attack complexity is high due to the need for precise timing [4].

Mitigation

The fix increases the allocation alignment requirement to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(), ensuring the base of the JIT buffer is 8-byte aligned, which allows the padding math to correctly align the target field. The patch has been applied to the stable kernel tree [1][2][3][4]. Users should update to a kernel version containing this commit to mitigate the vulnerability.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.0.1,<6.12.77
    • cpe:2.3:o:linux:linux_kernel:6.0:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.