CVE-2026-23417

The vulnerability lies in the Linux kernel's BPF constant blinding mechanism. The function bpf_jit_blind_insn() is responsible for obfuscating immediate values in JIT-compiled BPF instructions when bpf_jit_harden >= 1. However, it only handles BPF_ST|BPF_MEM (mode 0x60) stores. During verification, convert_ctx_accesses() rewrites immediate stores to arena pointers into BPF_ST|BPF_PROBE_MEM32 (mode 0xa0), but the blinding switch statement does not match this new mode. Consequently, user-controlled 32-bit immediate values survive unblinded into the generated native code, bypassing the hardening protection.

To exploit this, an attacker must be able to supply BPF programs that include immediate stores to arena pointers. On systems where bpf_jit_harden is set to 1 or 2, the attacker's immediate value is not randomized. The attacker would also need the ability to load arbitrary BPF code, typically requiring privileged access (CAP_BPF) or another mechanism to load BPF programs. The exploitation scenario involves the unblinded constant being exposed in JIT code, potentially enabling constant-cache timing attacks or making JIT spray attacks more predictable.

The primary impact is the weakening of BPF JIT hardening. An unblinded constant can leak information about the kernel's address space layout or allow an attacker to control a value that is assumed to be obfuscated. This reduces the effectiveness of constant blinding as a mitigation against speculative execution attacks and other information disclosure techniques.

The fix adds BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the existing BPF_ST|BPF_MEM cases. The blinding transformation is identical: load the blinded immediate into BPF_REG_AX via mov+xor, then convert the immediate store to a register store (BPF_STX) while preserving the BPF_PROBE_MEM32 mode. This ensures that arena pointer store immediates are correctly blinded and hardened. The corrected code is included in the Linux kernel stable tree.