CVE-2026-45886
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix bpf_xdp_store_bytes proto for read-only arg
While making some maps in Cilium read-only from the BPF side, we noticed that the bpf_xdp_store_bytes proto is incorrect. In particular, the verifier was throwing the following error:
; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpf_xdp_store_bytes#190 write into map forbidden, value_size=6 off=0 size=4
nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE. The verifier checks the helper's memory access to R3 in check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails.
Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading from uninitialized memory.
This patch simply fixes the expected argument type to match that of bpf_skb_store_bytes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A BPF verifier fix for `bpf_xdp_store_bytes` helper argument type prevents false positives with read-only maps like those in Cilium.
Vulnerability
The bpf_xdp_store_bytes helper in the Linux kernel had an incorrect prototype in the BPF verifier. The third argument was declared as ARG_PTR_TO_UNINIT_MEM, which includes the MEM_WRITE flag. This caused the verifier to incorrectly reject valid programs that passed data from a read-only BPF map (e.g., a BPF_F_RDONLY_PROG map) to the helper, even though the helper only needs to read that data. The issue affected all kernel versions with BPF support, including the ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e commit [1].
Exploitation
An attacker does not need specific network position or authentication to trigger this vulnerability. The bug is a kernel verifier logic error that can prevent legitimate XDP programs from passing the verifier when they use bpf_xdp_store_bytes with a read-only map value. No privilege escalation or runtime exploitation is directly possible from this bug; it is a program rejection condition.
Impact
The impact is a denial of service for specific BPF programs. Programs that invoke bpf_xdp_store_bytes with data from a read-only map (such as Cilium's NAT maps) are rejected by the verifier, causing the program to fail to load. This can break legitimate networking functionality without any runtime compromise [1]. The kernel fix aligns the argument type with that of bpf_skb_store_bytes to avoid this false positive.
Mitigation
The fix was applied in commit ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e and is expected to be included in subsequent stable kernel releases. Users should apply kernel updates that contain this patch. No workaround is available for unpatched kernels other than modifying affected XDP programs to avoid using read-only maps with this helper [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
126557f1565d77bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index d14401193b01d0..f04982d79d72e9 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4135,7 +4135,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
57f7f6a0ad04bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index b1f8e2930e1c43..51318cb40f7788 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4137,7 +4137,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
d7b87adeb0ebbpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index b9a51f322b655d..d93f7dea828e57 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4133,7 +4133,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
0db169a91381bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index 06e179865a21b7..182a7388e84f56 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4140,7 +4140,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
ddc34a1b8550bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index ddb6d3dd34deb7..e5dc1f699297b0 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4118,7 +4118,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
ffb5d1c5e393bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index e19bf63ad9a44c..c177e40e70770c 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4069,7 +4069,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
ffb5d1c5e393bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index e19bf63ad9a44c..c177e40e70770c 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4069,7 +4069,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
ddc34a1b8550bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index ddb6d3dd34deb7..e5dc1f699297b0 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4118,7 +4118,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
d7b87adeb0ebbpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index b9a51f322b655d..d93f7dea828e57 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4133,7 +4133,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
6557f1565d77bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index d14401193b01d0..f04982d79d72e9 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4135,7 +4135,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
57f7f6a0ad04bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index b1f8e2930e1c43..51318cb40f7788 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4137,7 +4137,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
0db169a91381bpf: Fix bpf_xdp_store_bytes proto for read-only arg
1 file changed · +1 −2
net/core/filter.c+1 −2 modifieddiff --git a/net/core/filter.c b/net/core/filter.c index 06e179865a21b7..182a7388e84f56 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4140,7 +4140,7 @@ static const struct bpf_func_proto bpf_xdp_store_bytes_proto = { .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_CTX, .arg2_type = ARG_ANYTHING, - .arg3_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type = ARG_CONST_SIZE, }; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Incorrect BPF helper argument type annotation: the third argument of bpf_xdp_store_bytes was declared as ARG_PTR_TO_UNINIT_MEM (which implies MEM_WRITE), but the helper only reads from that argument, causing the verifier to reject valid read-only map pointers and potentially allowing reads from uninitialized memory."
Attack vector
An attacker who can load a BPF program that calls bpf_xdp_store_bytes with a pointer to a BPF_F_RDONLY_PROG map (a read-only map) will have the program rejected by the verifier with a "write into map forbidden" error, because the helper's third argument was incorrectly typed as ARG_PTR_TO_UNINIT_MEM (which carries the MEM_WRITE flag) [patch_id=2661675]. Conversely, if an attacker passes a pointer to uninitialized memory as the third argument, the verifier would not catch it because ARG_PTR_TO_UNINIT_MEM expects uninitialized memory, potentially allowing the helper to read from uninitialized data [patch_id=2661675]. The bug is triggered purely through BPF program code — no special network access or authentication is required beyond the ability to load a BPF program.
Affected code
The vulnerability is in the bpf_xdp_store_bytes_proto function prototype definition in net/core/filter.c [patch_id=2661675]. The third argument type was incorrectly set to ARG_PTR_TO_UNINIT_MEM instead of ARG_PTR_TO_MEM | MEM_RDONLY.
What the fix does
The patch changes the third argument type of bpf_xdp_store_bytes_proto from ARG_PTR_TO_UNINIT_MEM to ARG_PTR_TO_MEM | MEM_RDONLY in net/core/filter.c [patch_id=2661675]. This corrects the annotation to match the actual behavior of the helper, which only reads from the memory pointed to by the third argument (it stores bytes into the XDP context, not into the provided buffer). The fix aligns the prototype with that of bpf_skb_store_bytes, which already uses the correct ARG_PTR_TO_MEM | MEM_RDONLY type [patch_id=2661675].
Preconditions
- authThe attacker must be able to load a BPF program that calls the bpf_xdp_store_bytes helper.
- inputThe BPF program must pass a pointer to a read-only map (BPF_F_RDONLY_PROG) as the third argument, or pass a pointer to uninitialized memory.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/0db169a91381a473b7974021d1c02f8da72c5775nvd
- git.kernel.org/stable/c/57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52nvd
- git.kernel.org/stable/c/6557f1565d779851c4db9c488c49c05a47a6e72fnvd
- git.kernel.org/stable/c/d7b87adeb0eb539b9b824b101bb14fb01e41240bnvd
- git.kernel.org/stable/c/ddc34a1b85505c919026ddc82fafdada9a160b15nvd
- git.kernel.org/stable/c/ffb5d1c5e3933b947fc7303ad68bf0c536d0c85envd
News mentions
0No linked articles in our index yet.