Hi, On Fri, Apr 03, 2026 at 10:16:15PM -0300, Benjamin Leon Dubos wrote: > Source: linux > Version: 6.19.10-1 > Severity: grave > Tags: patch security > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > This is a backport for CVE-2026-23417 (BPF JIT Blinding bypass) > targeting the linux package in Sid (6.19.10-1). > > I have verified the patch by successfully compiling kernel/bpf/core.o > in a Debian Sid environment. The patch follows DEP-3 standards and > addresses the issue where BPF_ST | BPF_PROBE_MEM32 instructions > were bypassing constant blinding. > > The fix is based on the upstream commit by Linus Torvalds. > Attached is the DEP-3 formatted patch.
Thanks for the patch (but it is not needed, as we follow stable upstream series this is included in 6.19.11 which will be uploaded to unstable). I added a bug closer to the respective entry, but in general it's not really needed to fill bugs for CVEs for the linux kernel, tracking of the CVE is aleady almost well established. Regards, Salvatore
