CVE-2026-45886

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix bpf xdp store bytes proto for read-only arg

While making some maps in Cilium read-only from the BPF side, we noticed that the bpf xdp store bytes proto is incorrect. In particular, the verifier was throwing the following error:

; ret = ctx store bytes(ctx, l3 off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpf xdp store bytes#190 write into map forbidden, value size=6 off=0 size=4

nat comes from a BPF F RDONLY PROG map, so R3 is a PTR TO MAP VALUE. The verifier checks the helper's memory access to R3 in check mem size reg, as it reaches ARG CONST SIZE argument. The third argument has expected type ARG PTR TO UNINIT MEM, which includes the MEM WRITE flag. The verifier thus checks for a BPF WRITE access on R3. Given R3 points to a read-only map, the check fails.

Conversely, ARG PTR TO UNINIT MEM can also lead to the helper reading from uninitialized memory.

This patch simply fixes the expected argument type to match that of bpf skb store bytes.