Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45967

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Return proper address for non-zero offsets in insn array

The map_direct_value_addr() function of the instruction array map incorrectly adds offset to the resulting address. This is a bug, because later the resolve_pseudo_ldimm64() function adds the offset. Fix it. Corresponding selftests are added in a consequent commit.

Affected products

Linux/Kernelllm-fuzzy

Patches

73ef43202a37

bpf: Return proper address for non-zero offsets in insn array

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnton ProtopopovJan 11, 2026Fixed in 6.19.4via kernel-cna

commit

1 file changed · +1 −2

kernel/bpf/bpf_insn_array.c+1 −2 modified

diff --git a/kernel/bpf/bpf_insn_array.c b/kernel/bpf/bpf_insn_array.c
index c96630cb75bf7a..37b43102953eeb 100644
--- a/kernel/bpf/bpf_insn_array.c
+++ b/kernel/bpf/bpf_insn_array.c
@@ -126,7 +126,7 @@ static int insn_array_map_direct_value_addr(const struct bpf_map *map, u64 *imm,
 		return -EINVAL;
 
 	/* from BPF's point of view, this map is a jump table */
-	*imm = (unsigned long)insn_array->ips + off;
+	*imm = (unsigned long)insn_array->ips;
 
 	return 0;
 }
-- 
cgit 1.3-korg

e3bd7bdf5ffe

bpf: Return proper address for non-zero offsets in insn array

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnton ProtopopovJan 11, 2026Fixed in 7.0via kernel-cna

commit

1 file changed · +1 −2

kernel/bpf/bpf_insn_array.c+1 −2 modified

diff --git a/kernel/bpf/bpf_insn_array.c b/kernel/bpf/bpf_insn_array.c
index c96630cb75bf7a..37b43102953eeb 100644
--- a/kernel/bpf/bpf_insn_array.c
+++ b/kernel/bpf/bpf_insn_array.c
@@ -126,7 +126,7 @@ static int insn_array_map_direct_value_addr(const struct bpf_map *map, u64 *imm,
 		return -EINVAL;
 
 	/* from BPF's point of view, this map is a jump table */
-	*imm = (unsigned long)insn_array->ips + off;
+	*imm = (unsigned long)insn_array->ips;
 
 	return 0;
 }
-- 
cgit 1.3-korg

e3bd7bdf5ffe

bpf: Return proper address for non-zero offsets in insn array

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAnton ProtopopovJan 11, 2026via nvd-ref

commit

1 file changed · +1 −2

kernel/bpf/bpf_insn_array.c+1 −2 modified

diff --git a/kernel/bpf/bpf_insn_array.c b/kernel/bpf/bpf_insn_array.c
index c96630cb75bf7a..37b43102953eeb 100644
--- a/kernel/bpf/bpf_insn_array.c
+++ b/kernel/bpf/bpf_insn_array.c
@@ -126,7 +126,7 @@ static int insn_array_map_direct_value_addr(const struct bpf_map *map, u64 *imm,
 		return -EINVAL;
 
 	/* from BPF's point of view, this map is a jump table */
-	*imm = (unsigned long)insn_array->ips + off;
+	*imm = (unsigned long)insn_array->ips;
 
 	return 0;
 }
-- 
cgit 1.3-korg

73ef43202a37

bpf: Return proper address for non-zero offsets in insn array

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAnton ProtopopovJan 11, 2026via nvd-ref

commit

1 file changed · +1 −2

kernel/bpf/bpf_insn_array.c+1 −2 modified

diff --git a/kernel/bpf/bpf_insn_array.c b/kernel/bpf/bpf_insn_array.c
index c96630cb75bf7a..37b43102953eeb 100644
--- a/kernel/bpf/bpf_insn_array.c
+++ b/kernel/bpf/bpf_insn_array.c
@@ -126,7 +126,7 @@ static int insn_array_map_direct_value_addr(const struct bpf_map *map, u64 *imm,
 		return -EINVAL;
 
 	/* from BPF's point of view, this map is a jump table */
-	*imm = (unsigned long)insn_array->ips + off;
+	*imm = (unsigned long)insn_array->ips;
 
 	return 0;
 }
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Double-accounting of offset in map_direct_value_addr() causes the returned address to be shifted past the intended jump-table entry."

Attack vector

An attacker who can load a BPF program that uses an instruction-array map (a BPF jump table) with a non-zero offset can trigger this bug. When the kernel resolves a BPF pseudo-instruction via resolve_pseudo_ldimm64(), it adds the offset a second time because map_direct_value_addr() already added it [patch_id=2660897]. This results in the jump target pointing to an incorrect memory location, potentially causing a kernel crash or control-flow hijack.

Affected code

The bug is in `kernel/bpf/bpf_insn_array.c` in the function `insn_array_map_direct_value_addr()` [patch_id=2660897]. The function incorrectly computed `*imm = (unsigned long)insn_array->ips + off` instead of just `*imm = (unsigned long)insn_array->ips`.

What the fix does

The patch removes the addition of `off` from the `*imm` assignment in `insn_array_map_direct_value_addr()` [patch_id=2660897]. The function now returns only the base address of the instruction array (`insn_array->ips`). The offset is applied solely by `resolve_pseudo_ldimm64()`, which is the correct single point of offset handling. This eliminates the double-offset bug.

Preconditions

authThe attacker must be able to load a BPF program that uses an instruction-array map (BPF_MAP_TYPE_INSN_ARRAY) with a non-zero offset.
configThe kernel must have BPF JIT enabled (the bug is in the x86 indirect jump support path).

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000