{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-45903","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.084Z","datePublished":"2026-05-27T12:17:11.382Z","dateUpdated":"2026-05-27T12:17:11.382Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-27T12:17:11.382Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memory access flags in helper prototypes\n\nAfter commit 37cce22dbd51 (\"bpf: verifier: Refactor helper access type tracking\"),\nthe verifier started relying on the access type flags in helper\nfunction prototypes to perform memory access optimizations.\n\nCurrently, several helper functions utilizing ARG_PTR_TO_MEM lack the\ncorresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the\nverifier to incorrectly assume that the buffer contents are unchanged\nacross the helper call. Consequently, the verifier may optimize away\nsubsequent reads based on this wrong assumption, leading to correctness\nissues.\n\nFor bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect\nsince the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM\nwhich correctly indicates write access to potentially uninitialized memory.\n\nSimilar issues were recently addressed for specific helpers in commit\nac44dcc788b9 (\"bpf: Fix verifier assumptions of bpf_d_path's output buffer\")\nand commit 2eb7648558a7 (\"bpf: Specify access type of bpf_sysctl_get_name args\").\n\nFix these prototypes by adding the correct memory access flags."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/helpers.c","kernel/bpf/syscall.c","kernel/trace/bpf_trace.c","net/core/filter.c"],"versions":[{"version":"37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb","lessThan":"fdfe75161f6e8c41a7d3023fbb815b537107b806","status":"affected","versionType":"git"},{"version":"37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb","lessThan":"aa319592892068bd960c1a1c07bd621085b0c63d","status":"affected","versionType":"git"},{"version":"37cce22dbd51a3ef7f6c08c3fb5f1c5075a17fbb","lessThan":"802eef5afb1865bc5536a5302c068ba2215a1f72","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/helpers.c","kernel/bpf/syscall.c","kernel/trace/bpf_trace.c","net/core/filter.c"],"versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","status":"unaffected","versionType":"semver"},{"version":"6.18.14","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.4","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.18.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.19.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/fdfe75161f6e8c41a7d3023fbb815b537107b806"},{"url":"https://git.kernel.org/stable/c/aa319592892068bd960c1a1c07bd621085b0c63d"},{"url":"https://git.kernel.org/stable/c/802eef5afb1865bc5536a5302c068ba2215a1f72"}],"title":"bpf: Fix memory access flags in helper prototypes","x_generator":{"engine":"bippy-1.2.0"}}}}