CVE-2025-38591

MEDIUM
2025-08-19 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Aug 19, 2025 - 17:15 nvd
MEDIUM 5.5

Tags

Linux Denial Of Service Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_narrower_load" case in the convert_ctx_accesses(), the insn->off is aligned, so the cnt may not be 0 because it matches the offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However, the target_size stays 0 and the verifier errors with a kernel warning: verifier bug: error during ctx access conversion(1) This patch fixes that to return a proper "invalid bpf_context access off=X size=Y" error on the load instruction. The same issue affects multiple other fields in context structures that allow narrow access. Some other non-affected fields (for sk_msg, sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for consistency. Note this syzkaller crash was reported in the "Closes" link below, which used to be about a different bug, fixed in commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow confused the two bugs, the new crash and repro didn't get reported to the mailing list.

Analysis

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) verifier allows unprivileged local users to trigger a kernel warning and denial of service by performing narrower-than-expected memory access to pointer context fields. The flaw exists in how the verifier handles pointer field access validation in context structures like __sk_buff, where it incorrectly permits sub-byte or misaligned reads that should be rejected. An attacker with local user privileges can craft a malicious BPF program that causes the kernel to emit a verifier warning ("verifier bug: error during ctx access conversion") and potentially crash or destabilize the system, affecting all Linux kernel versions prior to the patched releases.

Technical Context

The vulnerability resides in the Linux kernel's BPF verifier subsystem, specifically in the functions bpf_skb_is_valid_access() and bpf_convert_ctx_access(). BPF is an in-kernel virtual machine that allows unprivileged user-space programs to run sandboxed code in kernel context. The verifier is responsible for statically analyzing BPF bytecode to ensure memory safety and security. The bug occurs because the verifier permits "narrower" memory loads (reading fewer bytes than the full width of a pointer field) at offset 168 in __sk_buff (the sk field), which should be rejected. When such a narrower load is detected during access conversion, the target_size remains 0 while the offset is aligned, causing a kernel warning rather than a proper error message. This represents a logic flaw in the verifier's context access validation layer rather than a memory corruption vulnerability, but it exposes the kernel to denial of service via malformed BPF programs. The affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (all Linux kernel versions).

Affected Products

The Linux kernel across all versions is affected as indicated by the CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. Patches have been issued across multiple stable kernel branches, including commits 058a0da4f6d916a79b693384111bb80a90d73763, 202900ceeef67458c964c2af6e1427c8e533ea7c, 33660d44e789edb4f303210c813fc56d56377a90, 7847c4140e06f6e87229faae22cc38525334c156, e09299225d5ba3916c91ef70565f7d2187e4cca0, and feae34c992eb7191862fb1594c704fbbf650fef8 available in the Linux kernel git repository. The vulnerability affects all kernel versions prior to these patches and impacts any system where unprivileged BPF program loading is permitted via the bpf() syscall. End-of-life distributions and older kernel versions without backported patches remain vulnerable.

Remediation

Apply the latest kernel patches immediately by upgrading to a kernel version that includes one of the six referenced commits from the Linux kernel stable branches (see https://git.kernel.org/stable for patch details). Distribution maintainers should backport the fixes to all supported kernel versions; check your distribution's security advisories for specific kernel versions (e.g., Ubuntu, Red Hat, Debian) that have incorporated these patches. Until patching is complete, restrict the use of unprivileged BPF program loading by disabling the bpf() syscall for non-root users via the kernel.unprivileged_bpf_disabled sysctl setting (set to 1), or use seccomp/SELinux policies to deny unprivileged BPF access. In containerized environments, enforce kernel.unprivileged_bpf_disabled=1 at the host level and disable BPF capabilities in container security policies. Verify patch application by checking kernel version and examining /proc/version or using uname -r.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2025-38591 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy