GHSA-MX29-FW97-M6GR

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Require frozen map for calculating map hash

Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map's frozen state.

This leads to a TOCTOU bug where userspace can call BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map contents before freezing.

Therefore, a trusted loader can be tricked into verifying the stale hash while loading the modified contents.

Fix this by returning -EPERM if the map is not frozen when the hash is requested. This ensures the hash is only generated for the final, immutable state of the map.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-45927"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:08Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Require frozen map for calculating map hash\n\nCurrently, bpf_map_get_info_by_fd calculates and caches the hash of the\nmap regardless of the map\u0027s frozen state.\n\nThis leads to a TOCTOU bug where userspace can call\nBPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map\ncontents before freezing.\n\nTherefore, a trusted loader can be tricked into verifying the stale hash\nwhile loading the modified contents.\n\nFix this by returning -EPERM if the map is not frozen when the hash is\nrequested. This ensures the hash is only generated for the final,\nimmutable state of the map.",
  "id": "GHSA-mx29-fw97-m6gr",
  "modified": "2026-05-27T15:33:16Z",
  "published": "2026-05-27T15:33:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45927"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7752d36343862323bbeea4ce3adf0ec2ed86e122"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2c86aa621c22f2a7e26c654f936d65cfff0aa91"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f415e114b58fe02c41191e47f24bdabb438daf72"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.