Cyber Resilience

CVE-2026-23383

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23383 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23383 affects the Linux kernel's BPF (Berkeley Packet Filter) subsystem on arm64 architectures. The vulnerability stems from the BPF JIT allocator requesting only 4-byte alignment (sizeof(u32)) for the JIT buffer, while struct bpf_plt contains a u64 target field that requires 8-byte alignment. This misalignment causes two issues: UBSAN misaligned-access warnings during dereferences and, critically, potential atomic tearing. On arm64, 64-bit loads/stores are atomic only if 8-byte aligned; concurrent updates to target via WRITE_ONCE() in bpf_arch_text_poke(), while JIT'd code executes ldr, risk torn reads that corrupt the target address, leading the JIT to jump to invalid locations.

A local attacker with low privileges (AV:L/PR:L) can exploit this with low attack complexity and no user interaction (AC:L/UI:N), as indicated by the CVSS v3.1 score of 7.8 (C:H/I:H/A:H). Exploitation involves triggering the misalignment during BPF JIT operations, potentially causing kernel crashes or control-flow hijacks in JIT'd code due to jumps to corrupted addresses from torn reads.

Mitigation is provided via Linux kernel stable commits, including 519b1ad91de5bf7a496f2b858e9212db6328e1de, 66959ed481a474eaae278c7f6860a2a9b188a4d6, 80ad264da02cc4aee718e799c2b79f0f834673dc, and ef06fd16d48704eac868441d98d4ef083d8f3d07. These patches increase the allocation alignment to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(), anchoring the JIT buffer base to an 8-byte boundary and enabling correct relative padding in build_plt() to align the target field properly. Affected systems should update to kernels incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes…

more

(sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary. This leads to two issues: 1. UBSAN reports misaligned-access warnings when dereferencing the structure. 2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address. Fix this by increasing the allocation alignment requirement to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of the JIT buffer to an 8-byte boundary, allowing the relative padding math in build_plt() to correctly align the target field.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel BPF JIT misalignment on arm64 enables local control-flow hijack or crashes, directly facilitating privilege escalation via T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.0, 7.0 · 6.0.1 — 6.12.77 · 6.13 — 6.18.17 · 6.19 — 6.19.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-23383 by requiring timely application of Linux kernel patches that enforce 8-byte alignment for BPF JIT buffers, preventing atomic tearing and corrupted jumps.

prevent

Ensures organizations receive, disseminate, and implement vendor security advisories and directives for kernel flaws like the BPF JIT misalignment in CVE-2026-23383.

detect

Vulnerability scanning identifies systems with vulnerable Linux kernel versions affected by CVE-2026-23383's BPF JIT alignment issue.

References