CVE-2026-45927

MEDIUM

bpf: Require frozen map for calculating map hash

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Require frozen map for calculating map hash Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map's frozen state. This leads to a TOCTOU bug where userspace can call BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map contents before freezing. Therefore, a trusted loader can be tricked into verifying the stale hash while loading the modified contents. Fix this by returning -EPERM if the map is not frozen when the hash is requested. This ensures the hash is only generated for the final, immutable state of the map.

Scores

CVSS v3 4.7
EPSS 0.0009
EPSS Percentile 0.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-367
Status published
Products (11)
linux/Kernel 6.18.0 - 6.18.14linux
linux/Kernel 6.19.0 - 6.19.4linux
Linux/Linux < 6.18
Linux/Linux 6.18
Linux/Linux 6.18.14 - 6.18.*
Linux/Linux 6.19.4 - 6.19.*
Linux/Linux 7.0
Linux/Linux ea2e6467ac36bf3d785defc89e58269b15d182f7 - 7752d36343862323bbeea4ce3adf0ec2ed86e122
Linux/Linux ea2e6467ac36bf3d785defc89e58269b15d182f7 - a2c86aa621c22f2a7e26c654f936d65cfff0aa91
Linux/Linux ea2e6467ac36bf3d785defc89e58269b15d182f7 - f415e114b58fe02c41191e47f24bdabb438daf72
... and 1 more
Published May 27, 2026
Tracked Since May 27, 2026