{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23383", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.007Z", "datePublished": "2026-03-25T10:28:02.126Z", "dateUpdated": "2026-05-11T22:05:48.976Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:05:48.976Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing\n\nstruct bpf_plt contains a u64 target field. Currently, the BPF JIT\nallocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT\nbuffer.\n\nBecause the base address of the JIT buffer can be 4-byte aligned (e.g.,\nending in 0x4 or 0xc), the relative padding logic in build_plt() fails\nto ensure that target lands on an 8-byte boundary.\n\nThis leads to two issues:\n1. UBSAN reports misaligned-access warnings when dereferencing the\n structure.\n2. More critically, target is updated concurrently via WRITE_ONCE() in\n bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64,\n 64-bit loads/stores are only guaranteed to be single-copy atomic if\n they are 64-bit aligned. A misaligned target risks a torn read,\n causing the JIT to jump to a corrupted address.\n\nFix this by increasing the allocation alignment requirement to 8 bytes\n(sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of\nthe JIT buffer to an 8-byte boundary, allowing the relative padding math\nin build_plt() to correctly align the target field."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/net/bpf_jit_comp.c"], "versions": [{"version": "b2ad54e1533e91449cb2a371e034942bd7882b58", "lessThan": "80ad264da02cc4aee718e799c2b79f0f834673dc", "status": "affected", "versionType": "git"}, {"version": "b2ad54e1533e91449cb2a371e034942bd7882b58", "lessThan": "519b1ad91de5bf7a496f2b858e9212db6328e1de", "status": "affected", "versionType": "git"}, {"version": "b2ad54e1533e91449cb2a371e034942bd7882b58", "lessThan": "66959ed481a474eaae278c7f6860a2a9b188a4d6", "status": "affected", "versionType": "git"}, {"version": "b2ad54e1533e91449cb2a371e034942bd7882b58", "lessThan": "ef06fd16d48704eac868441d98d4ef083d8f3d07", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/net/bpf_jit_comp.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/80ad264da02cc4aee718e799c2b79f0f834673dc"}, {"url": "https://git.kernel.org/stable/c/519b1ad91de5bf7a496f2b858e9212db6328e1de"}, {"url": "https://git.kernel.org/stable/c/66959ed481a474eaae278c7f6860a2a9b188a4d6"}, {"url": "https://git.kernel.org/stable/c/ef06fd16d48704eac868441d98d4ef083d8f3d07"}], "title": "bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D973B34-246F-4A22-882C-BBD5EB00997D", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:-:*:*:*:*:*:*", "matchCriteriaId": "7BE551E5-89CF-47A8-9B26-03CE727FBA37", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing\n\nstruct bpf_plt contains a u64 target field. Currently, the BPF JIT\nallocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT\nbuffer.\n\nBecause the base address of the JIT buffer can be 4-byte aligned (e.g.,\nending in 0x4 or 0xc), the relative padding logic in build_plt() fails\nto ensure that target lands on an 8-byte boundary.\n\nThis leads to two issues:\n1. UBSAN reports misaligned-access warnings when dereferencing the\n structure.\n2. More critically, target is updated concurrently via WRITE_ONCE() in\n bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64,\n 64-bit loads/stores are only guaranteed to be single-copy atomic if\n they are 64-bit aligned. A misaligned target risks a torn read,\n causing the JIT to jump to a corrupted address.\n\nFix this by increasing the allocation alignment requirement to 8 bytes\n(sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of\nthe JIT buffer to an 8-byte boundary, allowing the relative padding math\nin build_plt() to correctly align the target field."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbpf, arm64: Forzar alineaci\u00f3n de 8 bytes para el b\u00fafer JIT para prevenir el desgarro at\u00f3mico\n\nstruct bpf_plt contiene un campo objetivo u64. Actualmente, el asignador JIT de BPF solicita una alineaci\u00f3n de 4 bytes (sizeof(u32)) para el b\u00fafer JIT.\n\nDebido a que la direcci\u00f3n base del b\u00fafer JIT puede estar alineada a 4 bytes (p. ej., terminando en 0x4 o 0xc), la l\u00f3gica de relleno relativo en build_plt() no logra asegurar que target caiga en un l\u00edmite de 8 bytes.\n\nEsto lleva a dos problemas:\n1. UBSAN informa advertencias de acceso desalineado al desreferenciar la estructura.\n2. M\u00e1s cr\u00edticamente, target se actualiza concurrentemente a trav\u00e9s de WRITE_ONCE() en bpf_arch_text_poke() mientras el c\u00f3digo JIT'd ejecuta ldr. En arm64, las cargas/almacenamientos de 64 bits solo se garantiza que sean at\u00f3micos de copia \u00fanica si est\u00e1n alineados a 64 bits. Un target desalineado arriesga una lectura desgarrada, haciendo que el JIT salte a una direcci\u00f3n corrupta.\n\nSolucione esto aumentando el requisito de alineaci\u00f3n de asignaci\u00f3n a 8 bytes (sizeof(u64)) en bpf_jit_binary_pack_alloc(). Esto ancla la base del b\u00fafer JIT a un l\u00edmite de 8 bytes, permitiendo que las matem\u00e1ticas de relleno relativo en build_plt() alineen correctamente el campo target."}], "id": "CVE-2026-23383", "lastModified": "2026-04-24T18:42:21.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-25T11:16:38.487", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/519b1ad91de5bf7a496f2b858e9212db6328e1de"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/66959ed481a474eaae278c7f6860a2a9b188a4d6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/80ad264da02cc4aee718e799c2b79f0f834673dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ef06fd16d48704eac868441d98d4ef083d8f3d07"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing", "id": "2451206", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451206"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-468", "details": ["A flaw was found in the Linux kernel's BPF (Berkeley Packet Filter) JIT (Just-In-Time) compiler on arm64 architectures. The BPF JIT allocator incorrectly requests a 4-byte alignment for its buffer, while a critical `target` field within the `bpf_plt` structure requires 8-byte alignment. This misalignment can lead to a \"torn read\" when the `target` field is updated concurrently, causing the JIT to jump to a corrupted memory address. An attacker could potentially exploit this vulnerability to achieve arbitrary code execution."], "name": "CVE-2026-23383", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23383\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23383\nhttps://lore.kernel.org/linux-cve-announce/2026032543-CVE-2026-23383-f205@gregkh/T"], "statement": "This flaw is specific to ARM64 systems running BPF programs. The 4-byte alignment of JIT buffers can cause the u64 target field to be misaligned, leading to atomic tearing during concurrent updates via bpf_arch_text_poke(). A torn read could cause JIT code to jump to a corrupted address. Requires BPF privileges and concurrent BPF program patching.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b2ad54e1533e91449cb2a371e034942bd7882b58,80ad264da02cc4aee718e799c2b79f0f834673dc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b2ad54e1533e91449cb2a371e034942bd7882b58,519b1ad91de5bf7a496f2b858e9212db6328e1de)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b2ad54e1533e91449cb2a371e034942bd7882b58,66959ed481a474eaae278c7f6860a2a9b188a4d6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b2ad54e1533e91449cb2a371e034942bd7882b58,ef06fd16d48704eac868441d98d4ef083d8f3d07)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T09:06:49.411702+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that includes the bpf JIT alignment patch.", "If the update is not immediately possible, disable BPF JIT by setting the appropriate sysctl or compiling the kernel with CONFIG_BPF_JIT_DISABLED.", "Monitor system logs for UBSAN misaligned-access warnings or unexpected kernel crashes that may indicate exploitation."], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Linux kernel across all releases that contain the buggy JIT allocation code for arm64. Vendors and users running these kernel versions are impacted. Specific version ranges are not listed in the CVE data, so any kernel prior to the patching commit should be considered vulnerable.", "description_and_impact": "An alignment oversight in the Linux kernel\u2019s BPF JIT allocator for the arm64 architecture causes a 64\u2011bit pointer field in the bpf_plt structure to sometimes be misaligned. When the JIT compiler generates code that accesses this field concurrently with a write, the ARM64 load/store operation may observe only part of the 64\u2011bit value, resulting in a torn read. The malformed address can then be used as a jump target by the JITed code, allowing execution of unintended instructions. This flaw enables an attacker who can load a malicious BPF program to potentially execute arbitrary kernel code, leading to local privilege escalation or root compromise.", "risk_and_exploitability": "With a CVSS score of 7.8, the flaw is classified as high severity. The EPSS estimate is below 1\u202f%, and it is not currently listed in CISA\u2019s KEV catalog, indicating a low likelihood of widespread exploitation at this time. Nevertheless, the attack vector requires the ability to load or influence BPF code in kernel space, which an attacker may obtain via local compromise or privilege escalation channels. If the ability to execute BPF programs is available, the misaligned JIT buffer becomes a viable vector for kernel arbitrary code execution. Patching the kernel removes the misalignment; failing that, disabling BPF JIT on affected systems mitigates the risk."}}}}, "created": "2026-03-25T21:31:32.971953+00:00", "updated": "2026-04-28T09:15:09.683689+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}