{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45967", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.089Z", "datePublished": "2026-05-27T12:18:25.572Z", "dateUpdated": "2026-05-27T12:18:25.572Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-27T12:18:25.572Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Return proper address for non-zero offsets in insn array\n\nThe map_direct_value_addr() function of the instruction\narray map incorrectly adds offset to the resulting address.\nThis is a bug, because later the resolve_pseudo_ldimm64()\nfunction adds the offset. Fix it. Corresponding selftests\nare added in a consequent commit."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/bpf_insn_array.c"], "versions": [{"version": "493d9e0d608339a32f568504d5fd411a261bb0af", "lessThan": "73ef43202a37d779a8e665a0acae214fa59df9fb", "status": "affected", "versionType": "git"}, {"version": "493d9e0d608339a32f568504d5fd411a261bb0af", "lessThan": "e3bd7bdf5ffe49d8381e42843f6e98cd0c78a1e8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/bpf_insn_array.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/73ef43202a37d779a8e665a0acae214fa59df9fb"}, {"url": "https://git.kernel.org/stable/c/e3bd7bdf5ffe49d8381e42843f6e98cd0c78a1e8"}], "title": "bpf: Return proper address for non-zero offsets in insn array", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Return proper address for non-zero offsets in insn array\n\nThe map_direct_value_addr() function of the instruction\narray map incorrectly adds offset to the resulting address.\nThis is a bug, because later the resolve_pseudo_ldimm64()\nfunction adds the offset. Fix it. Corresponding selftests\nare added in a consequent commit."}], "id": "CVE-2026-45967", "lastModified": "2026-05-27T14:48:03.013", "metrics": {}, "published": "2026-05-27T14:17:13.567", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/73ef43202a37d779a8e665a0acae214fa59df9fb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3bd7bdf5ffe49d8381e42843f6e98cd0c78a1e8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: bpf: Return proper address for non-zero offsets in insn array", "id": "2482105", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482105"}, "csaw": false, "cwe": "CWE-823", "details": ["A flaw was found in the Linux kernel. Specifically, a bug in the `map_direct_value_addr()` function, which is part of the Berkeley Packet Filter (BPF) instruction array map, leads to incorrect address calculations when dealing with non-zero offsets. This issue could result in the kernel accessing unintended memory locations. While the direct security impact is not explicitly detailed, such memory access issues can potentially lead to system instability or information exposure."], "name": "CVE-2026-45967", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-45967\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-45967\nhttps://lore.kernel.org/linux-cve-announce/2026052735-CVE-2026-45967-b219@gregkh/T"]}