CVE-2026-23417

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix constant blinding for PROBE MEM32 stores

BPF ST | BPF PROBE MEM32 immediate stores are not handled by bpf jit blind insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf jit harden >= 1.

The root cause is that convert ctx accesses() rewrites BPF ST|BPF MEM to BPF ST|BPF PROBE MEM32 for arena pointer stores during verification, before bpf jit blind constants() runs during JIT compilation. The blinding switch only matches BPF ST|BPF MEM (mode 0x60), not BPF ST|BPF PROBE MEM32 (mode 0xa0). The instruction falls through unblinded.

Add BPF ST|BPF PROBE MEM32 cases to bpf jit blind insn() alongside the existing BPF ST|BPF MEM cases. The blinding transformation is identical: load the blinded immediate into BPF REG AX via mov+xor, then convert the immediate store to a register store (BPF STX).

The rewritten STX instruction must preserve the BPF PROBE MEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPF STX MEM() macro here because it hardcodes BPF MEM mode; construct the instruction directly instead.