Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Medium

Linux kernel BPF constant blinding bypass in PROBE_MEM32 stores

IdentifiersCVE-2026-23417CWE-693

CVE-2026-23417 is a flaw in the Linux kernel BPF JIT hardening path. BPF_ST | BPF_PROBE_MEM32 immediate stores were not handled by bpf_jit_blind_insn(), which meant user-controlled 32-bit immediate values could remain unblinded in JIT-compiled native code even when constant blinding was expected to be applied with bpf_jit_harden >= 1. The root cause is an ordering and opcode-handling gap: during verification, convert_ctx_accesses() rewrites certain BPF_ST|BPF_MEM arena pointer stores into BPF_ST|BPF_PROBE_MEM32 before JIT compilation, but the later blinding logic only matched BPF_ST|BPF_MEM and not BPF_ST|BPF_PROBE_MEM32. As a result, the instruction bypassed the intended blinding transformation. The fix adds explicit BPF_ST|BPF_PROBE_MEM32 handling to bpf_jit_blind_insn(), applying the same transformation used for normal immediate stores: loading a blinded immediate into BPF_REG_AX via mov+xor and rewriting the store into a BPF_STX form while preserving PROBE_MEM32 mode so the architecture JIT emits correct arena addressing.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Based on the provided content and scoring, the primary impact is local denial of service. An attacker able to load or influence a vulnerable BPF program can cause user-controlled immediates to survive into JIT-generated native code without the intended hardening transformation, undermining BPF JIT constant blinding. The supplied CVSS vectors indicate no confidentiality or integrity impact and high availability impact, consistent with a crash or similar service disruption in the local kernel attack context.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting untrusted local users' ability to load BPF programs and by disabling or limiting BPF JIT usage/hardening-dependent attack surface where operationally feasible. The vulnerability is only relevant in configurations where BPF JIT compilation is in use and bpf_jit_harden is set to 1 or higher. General least-privilege controls around BPF program loading and kernel attack-surface reduction are appropriate interim measures. Specific temporary mitigations beyond that are not provided in the supplied content.

Remediation

Patch, then assume compromise.

Apply a Linux kernel update containing the fix for CVE-2026-23417, specifically the change that adds BPF_ST|BPF_PROBE_MEM32 handling to bpf_jit_blind_insn() and preserves PROBE_MEM32 mode when rewriting the instruction to BPF_STX. Vendor-provided fixed packages should be used where available. The provided content notes SUSE fixes released on 2026-05-28 for affected product lines including SLES 16.0, SLES for SAP applications 16.0, SUSE Linux Micro 6.2, and openSUSE Leap 16.0, with fixed kernel package version 6.12.0-160000.33.1 referenced for those lines.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

2 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-23417
NVD
nvd.nist.gov/vuln/detail/CVE-2026-23417
MITRE CWE · CWE-693
cwe.mitre.org
Patch
git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f
Patch
git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195
Patch
git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf
Patch
git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb