CVE-2026-45927
Description
AI Translation Available
In the Linux kernel, the following vulnerability has been resolved:
bpf: Require frozen map for calculating map hash
Currently, bpf_map_get_info_by_fd calculates and caches the hash of the
map regardless of the map's frozen state.
This leads to a TOCTOU bug where userspace can call
BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map
contents before freezing.
Therefore, a trusted loader can be tricked into verifying the stale hash
while loading the modified contents.
Fix this by returning -EPERM if the map is not frozen when the hash is
requested. This ensures the hash is only generated for the final,
immutable state of the map.
https://git.kernel.org/stable/c/7752d36343862323bbeea4ce3adf0ec2ed86e122
https://git.kernel.org/stable/c/a2c86aa621c22f2a7e26c654f936d65cfff0aa91
https://git.kernel.org/stable/c/f415e114b58fe02c41191e47f24bdabb438daf72