CVE-2026-45927
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Require frozen map for calculating map hash
Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map's frozen state.
This leads to a TOCTOU bug where userspace can call BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map contents before freezing.
Therefore, a trusted loader can be tricked into verifying the stale hash while loading the modified contents.
Fix this by returning -EPERM if the map is not frozen when the hash is requested. This ensures the hash is only generated for the final, immutable state of the map.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Linux kernel's BPF subsystem has a TOCTOU vulnerability where unprivileged users can modify BPF map contents after the hash is cached, enabling stale-hash validation.
Vulnerability
In the Linux kernel BPF subsystem, bpf_map_get_info_by_fd calculates and caches the hash of a BPF map regardless of the map's frozen state. This design flaw allows a time‑of‑check‑time‑of‑use (TOCTOU) attack: the hash is computed on the current (mutable) map contents, but the map can be modified later. The vulnerability exists in all kernel versions that include the BPF map info getter without requiring the map to be frozen before hash calculation. The fix is introduced in commit a2c86aa621c2 [1], which enforces that the map must be frozen (BPF_F_FROZEN) before a hash can be obtained.
Exploitation
An attacker must be able to create or control a BPF map and have the ability to call BPF_OBJ_GET_INFO_BY_FD on it. The attacker first causes the hash to be computed (by obtaining info via the fd), then modifies the map contents before the map is frozen. A trusted loader that relies on the hash to verify the map's integrity can be tricked into accepting a hash that no longer matches the actual content, as the loader sees the cached (stale) hash. No special privileges beyond basic BPF access are required [1].
Impact
Successful exploitation allows an attacker to present a false hash of a BPF map to a trusted verifier or loader, enabling the loading of arbitrary map contents that are not what the hash claims. This undermines integrity guarantees provided by BPF map hashing; the attacker can modify maps after verification, potentially leading to undefined behavior or security policy bypasses. The impact is limited to scenarios where a verifier trusts the computed hash to be immutable [1].
Mitigation
The fix is included in kernel commit a2c86aa621c2 [1]. As of 2026-05-27, the patched version is part of the upstream stable tree; system administrators should apply the corresponding stable updates (e.g., 5.10.x, 5.15.x, 6.x series where backported). The fix returns -EPERM if the map is not frozen when the hash is requested, preventing any hash computation on mutable maps. No workaround is available without applying the patch. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) as of this writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
67752d3634386bpf: Require frozen map for calculating map hash
1 file changed · +3 −1
kernel/bpf/syscall.c+3 −1 modifieddiff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 2649e0472dfe04..586ece78f783ad 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5303,6 +5303,9 @@ static int bpf_map_get_info_by_fd(struct file *file, if (info.hash_size != SHA256_DIGEST_SIZE) return -EINVAL; + if (!READ_ONCE(map->frozen)) + return -EPERM; + err = map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, map->sha); if (err != 0) return err; -- cgit 1.3-korg
a2c86aa621c2bpf: Require frozen map for calculating map hash
1 file changed · +3 −1
kernel/bpf/syscall.c+3 −1 modifieddiff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 93bc0f4c65c57b..683c332dbafbe7 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5328,6 +5328,9 @@ static int bpf_map_get_info_by_fd(struct file *file, if (info.hash_size != SHA256_DIGEST_SIZE) return -EINVAL; + if (!READ_ONCE(map->frozen)) + return -EPERM; + err = map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, map->sha); if (err != 0) return err; -- cgit 1.3-korg
f415e114b58fbpf: Require frozen map for calculating map hash
1 file changed · +3 −1
kernel/bpf/syscall.c+3 −1 modifieddiff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index f89aa142f71b8a..ce7db2f3be6f63 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5314,6 +5314,9 @@ static int bpf_map_get_info_by_fd(struct file *file, if (info.hash_size != SHA256_DIGEST_SIZE) return -EINVAL; + if (!READ_ONCE(map->frozen)) + return -EPERM; + err = map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, map->sha); if (err != 0) return err; -- cgit 1.3-korg
f415e114b58fbpf: Require frozen map for calculating map hash
1 file changed · +3 −1
kernel/bpf/syscall.c+3 −1 modifieddiff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index f89aa142f71b8a..ce7db2f3be6f63 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5314,6 +5314,9 @@ static int bpf_map_get_info_by_fd(struct file *file, if (info.hash_size != SHA256_DIGEST_SIZE) return -EINVAL; + if (!READ_ONCE(map->frozen)) + return -EPERM; + err = map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, map->sha); if (err != 0) return err; -- cgit 1.3-korg
7752d3634386bpf: Require frozen map for calculating map hash
1 file changed · +3 −1
kernel/bpf/syscall.c+3 −1 modifieddiff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 2649e0472dfe04..586ece78f783ad 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5303,6 +5303,9 @@ static int bpf_map_get_info_by_fd(struct file *file, if (info.hash_size != SHA256_DIGEST_SIZE) return -EINVAL; + if (!READ_ONCE(map->frozen)) + return -EPERM; + err = map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, map->sha); if (err != 0) return err; -- cgit 1.3-korg
a2c86aa621c2bpf: Require frozen map for calculating map hash
1 file changed · +3 −1
kernel/bpf/syscall.c+3 −1 modifieddiff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 93bc0f4c65c57b..683c332dbafbe7 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5328,6 +5328,9 @@ static int bpf_map_get_info_by_fd(struct file *file, if (info.hash_size != SHA256_DIGEST_SIZE) return -EINVAL; + if (!READ_ONCE(map->frozen)) + return -EPERM; + err = map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, map->sha); if (err != 0) return err; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing frozen-state check in bpf_map_get_info_by_fd allows the map hash to be computed and cached before the map is frozen, enabling a TOCTOU race."
Attack vector
An attacker with userspace access to a BPF map can call BPF_OBJ_GET_INFO_BY_FD to trigger hash computation and caching while the map is still mutable. After the hash is cached, the attacker modifies the map contents and then freezes it. A trusted loader that later verifies the map against the cached (now-stale) hash will accept the modified contents, believing they match the original hash [patch_id=2661263]. The attack requires the ability to open a file descriptor to the target map and issue the BPF_OBJ_GET_INFO_BY_FD command before the map is frozen.
Affected code
The vulnerability is in the `bpf_map_get_info_by_fd` function in `kernel/bpf/syscall.c`. The function computes and caches the map hash via `map->ops->map_get_hash` without first checking whether the map has been frozen.
What the fix does
The patch adds a check of `READ_ONCE(map->frozen)` at the start of the hash-computation path in `bpf_map_get_info_by_fd`. If the map is not yet frozen, the function returns -EPERM immediately without computing or caching the hash [patch_id=2661263]. This ensures the hash is only generated for the final, immutable state of the map, closing the TOCTOU window where userspace could modify the map after the hash was cached but before freezing.
Preconditions
- authAttacker must have a file descriptor to a BPF map that is not yet frozen.
- inputAttacker must be able to call BPF_OBJ_GET_INFO_BY_FD on that map fd.
- configA trusted loader must later verify the map against the cached hash.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.