CVE-2026-23383
Published: 25 March 2026
Summary
CVE-2026-23383 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23383 affects the Linux kernel's BPF (Berkeley Packet Filter) subsystem on arm64 architectures. The vulnerability stems from the BPF JIT allocator requesting only 4-byte alignment (sizeof(u32)) for the JIT buffer, while struct bpf_plt contains a u64 target field that requires 8-byte alignment. This misalignment causes two issues: UBSAN misaligned-access warnings during dereferences and, critically, potential atomic tearing. On arm64, 64-bit loads/stores are atomic only if 8-byte aligned; concurrent updates to target via WRITE_ONCE() in bpf_arch_text_poke(), while JIT'd code executes ldr, risk torn reads that corrupt the target address, leading the JIT to jump to invalid locations.
A local attacker with low privileges (AV:L/PR:L) can exploit this with low attack complexity and no user interaction (AC:L/UI:N), as indicated by the CVSS v3.1 score of 7.8 (C:H/I:H/A:H). Exploitation involves triggering the misalignment during BPF JIT operations, potentially causing kernel crashes or control-flow hijacks in JIT'd code due to jumps to corrupted addresses from torn reads.
Mitigation is provided via Linux kernel stable commits, including 519b1ad91de5bf7a496f2b858e9212db6328e1de, 66959ed481a474eaae278c7f6860a2a9b188a4d6, 80ad264da02cc4aee718e799c2b79f0f834673dc, and ef06fd16d48704eac868441d98d4ef083d8f3d07. These patches increase the allocation alignment to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(), anchoring the JIT buffer base to an 8-byte boundary and enabling correct relative padding in build_plt() to align the target field properly. Affected systems should update to kernels incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15378
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes…
more
(sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary. This leads to two issues: 1. UBSAN reports misaligned-access warnings when dereferencing the structure. 2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address. Fix this by increasing the allocation alignment requirement to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of the JIT buffer to an 8-byte boundary, allowing the relative padding math in build_plt() to correctly align the target field.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel BPF JIT misalignment on arm64 enables local control-flow hijack or crashes, directly facilitating privilege escalation via T1068.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-23383 by requiring timely application of Linux kernel patches that enforce 8-byte alignment for BPF JIT buffers, preventing atomic tearing and corrupted jumps.
Ensures organizations receive, disseminate, and implement vendor security advisories and directives for kernel flaws like the BPF JIT misalignment in CVE-2026-23383.
Vulnerability scanning identifies systems with vulnerable Linux kernel versions affected by CVE-2026-23383's BPF JIT alignment issue.