Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-45886— bpf: Fix bpf_xdp_store_bytes proto for read-only arg

AI Predicted 5.5 Difficulty: Trivial EPSS 0.03% · P10

Possible ATT&CK Techniques 1AI

T1055 · Process Injection

Affected Version Matrix 14

VendorProductVersion RangeStatus
LinuxLinux3f364222d032eea6b245780e845ad213dab28cdd< ffb5d1c5e3933b947fc7303ad68bf0c536d0c85eaffected
3f364222d032eea6b245780e845ad213dab28cdd< ddc34a1b85505c919026ddc82fafdada9a160b15affected
3f364222d032eea6b245780e845ad213dab28cdd< 0db169a91381a473b7974021d1c02f8da72c5775affected
3f364222d032eea6b245780e845ad213dab28cdd< d7b87adeb0eb539b9b824b101bb14fb01e41240baffected
3f364222d032eea6b245780e845ad213dab28cdd< 57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52affected
3f364222d032eea6b245780e845ad213dab28cdd< 6557f1565d779851c4db9c488c49c05a47a6e72faffected
5.18affected
< 5.18unaffected
… +6 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-45886

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
bpf: Fix bpf_xdp_store_bytes proto for read-only arg
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_xdp_store_bytes proto for read-only arg While making some maps in Cilium read-only from the BPF side, we noticed that the bpf_xdp_store_bytes proto is incorrect. In particular, the verifier was throwing the following error: ; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpf_xdp_store_bytes#190 write into map forbidden, value_size=6 off=0 size=4 nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE. The verifier checks the helper's memory access to R3 in check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails. Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading from uninitialized memory. This patch simply fixes the expected argument type to match that of bpf_skb_store_bytes.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于bpf_xdp_store_bytes函数参数类型错误,导致验证器错误地禁止对只读映射的写入操作。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 3f364222d032eea6b245780e845ad213dab28cdd ~ ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e -
LinuxLinux 5.18 -

II. Public POCs for CVE-2026-45886

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-45886

登录查看更多情报信息。

Patches & Fixes for CVE-2026-45886 (6)

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

CVE-2026-460399.8 CRITICALrxgk: Fix potential integer overflow in length check
CVE-2026-458989.8 CRITICALRDMA/iwcm: Fix workqueue list corruption by removing work_list
CVE-2026-459889.8 CRITICALrxrpc: Fix re-decryption of RESPONSE packets
CVE-2026-459729.8 CRITICALsmb: client: fix potential UAF and double free in smb2_open_file()
CVE-2026-460439.1 CRITICALRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
CVE-2026-460568.8 HIGHBluetooth: hci_event: fix potential UAF in SSP passkey handlers
CVE-2026-459458.8 HIGHiommu/vt-d: Fix race condition during PASID entry replacement
CVE-2026-460378.2 HIGHipv4: icmp: validate reply type before using icmp_pointers
CVE-2026-458438.2 HIGHslip: bound decode() reads against the compressed packet length
CVE-2026-460108.1 HIGHrxrpc: Fix error handling in rxgk_extract_token()
CVE-2026-460998.1 HIGHnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
CVE-2026-460767.9 HIGHKVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
CVE-2026-458787.8 HIGHdrm/amdkfd: Fix watch_id bounds checking in debug address watch v2
CVE-2026-459597.8 HIGHcrypto: ccp - Fix a crash due to incorrect cleanup usage of kfree
CVE-2026-460117.8 HIGHmedia: mtk-jpeg: fix use-after-free in release path due to uncancelled work
CVE-2026-458947.8 HIGHiommu/vt-d: Clear Present bit before tearing down PASID entry
CVE-2026-460157.8 HIGHtcp: call sk_data_ready() after listener migration
CVE-2026-458527.8 HIGHRDMA/rxe: Fix double free in rxe_srq_from_init
CVE-2026-458627.8 HIGHiommu/vt-d: Flush cache for PASID table before using it
CVE-2026-458617.8 HIGHgfs2: Fix slab-use-after-free in qd_put

Showing top 20 of 276 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-45886

No comments yet

Leave a comment