{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing", "id" : "2451206", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451206" }, "cvss3" : { "cvss3_base_score" : "6.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-468", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing\nstruct bpf_plt contains a u64 target field. Currently, the BPF JIT\nallocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT\nbuffer.\nBecause the base address of the JIT buffer can be 4-byte aligned (e.g.,\nending in 0x4 or 0xc), the relative padding logic in build_plt() fails\nto ensure that target lands on an 8-byte boundary.\nThis leads to two issues:\n1. UBSAN reports misaligned-access warnings when dereferencing the\nstructure.\n2. More critically, target is updated concurrently via WRITE_ONCE() in\nbpf_arch_text_poke() while the JIT'd code executes ldr. On arm64,\n64-bit loads/stores are only guaranteed to be single-copy atomic if\nthey are 64-bit aligned. A misaligned target risks a torn read,\ncausing the JIT to jump to a corrupted address.\nFix this by increasing the allocation alignment requirement to 8 bytes\n(sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of\nthe JIT buffer to an 8-byte boundary, allowing the relative padding math\nin build_plt() to correctly align the target field.", "A flaw was found in the Linux kernel's BPF (Berkeley Packet Filter) JIT (Just-In-Time) compiler on arm64 architectures. The BPF JIT allocator incorrectly requests a 4-byte alignment for its buffer, while a critical `target` field within the `bpf_plt` structure requires 8-byte alignment. This misalignment can lead to a \"torn read\" when the `target` field is updated concurrently, causing the JIT to jump to a corrupted memory address. An attacker could potentially exploit this vulnerability to achieve arbitrary code execution." ], "statement" : "This flaw is specific to ARM64 systems running BPF programs. The 4-byte alignment of JIT buffers can cause the u64 target field to be misaligned, leading to atomic tearing during concurrent updates via bpf_arch_text_poke(). A torn read could cause JIT code to jump to a corrupted address. Requires BPF privileges and concurrent BPF program patching.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23383\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23383\nhttps://lore.kernel.org/linux-cve-announce/2026032543-CVE-2026-23383-f205@gregkh/T" ], "name" : "CVE-2026-23383", "csaw" : false }