Skip to main content

Linux CVE-2025-39748

MEDIUM
2025-09-11 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Sep 11, 2025 - 17:15 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: Forget ranges when refining tnum after JSET

Syzbot reported a kernel warning due to a range invariant violation on the following BPF program.

0: call bpf_get_netns_cookie 1: if r0 == 0 goto <exit> 2: if r0 & Oxffffffff goto <exit>

The issue is on the path where we fall through both jumps.

That path is unreachable at runtime: after insn 1, we know r0 != 0, but with the sign extension on the jset, we would only fallthrough insn 2 if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to figure this out, so the verifier walks all branches. The verifier then refines the register bounds using the second condition and we end up with inconsistent bounds on this unreachable path:

1: if r0 == 0 goto <exit> r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) 2: if r0 & 0xffffffff goto <exit> r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0)

Improving the range refinement for JSET to cover all cases is tricky. We also don't expect many users to rely on JSET given LLVM doesn't generate those instructions. So instead of improving the range refinement for JSETs, Eduard suggested we forget the ranges whenever we're narrowing tnums after a JSET. This patch implements that approach.

AnalysisAI

Linux kernel BPF verifier fails to properly handle range invariants when refining register bounds following JSET (bitwise AND test) instructions, allowing local privileged users to trigger kernel warnings and cause denial of service. The vulnerability affects all Linux kernel versions with BPF subsystem support across multiple kernel branches. While EPSS probability is very low (0.02%, percentile 5%), the issue manifests as a kernel warning on unreachable code paths that the verifier incorrectly traverses, and patches are available from upstream kernel repositories.

Technical ContextAI

The vulnerability exists in the Linux kernel's BPF verifier component (bpf subsystem), specifically in the register range refinement logic following JSET instructions. The BPF verifier performs static analysis of eBPF programs to ensure safety before execution. When processing conditional branches (particularly JSET operations which test bitwise AND conditions), the verifier tracks register value ranges using two parallel representations: concrete ranges (u64 bounds) and symbolic ranges (var_off tnum). The bug occurs when the verifier fails to recognize that certain code paths are logically unreachable (e.g., when r0 must be non-zero after the first condition but the JSET would only fall-through if r0 equals zero). This causes the verifier to walk unreachable paths and apply range refinement that creates inconsistent state: the tnum is narrowed (var_off changes from 0xffffffffffffffff to 0) while the concrete range is simultaneously tightened (u64 bounds go from [0x1, 0xffffffffffffffff] to [0x1, 0]), violating internal consistency invariants. Affected products are identified via CPE cpe:2.3:o:linux:linux_kernel with all version and configuration combinations.

RemediationAI

Upgrade to a patched Linux kernel version released after the fix commits (0643aa2468192a4d81326e8e76543854870b1ee2 and related commits across stable branches). For Ubuntu systems, apply security updates from USN-8126-1. Alternatively, apply the upstream kernel patch directly by cherry-picking commit 2fd0c26bacd90ef26522bd3169000a4715bf151f or equivalent from vendor repositories at git.kernel.org/stable. Until patching is possible, restrict local user access to BPF program loading via syscall filters (seccomp) or disable unprivileged BPF operations via kernel parameters (kernel.unprivileged_bpf_disabled=2) to limit exposure, though this only reduces attack surface rather than eliminating the vulnerability for privileged users.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.105 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.90 Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.124 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.94 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.146 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.91 Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-CHOST-BYOS-Aliyun Image SLES-CHOST-BYOS-Azure Image SLES-CHOST-BYOS-EC2 Image SLES-CHOST-BYOS-GCE Image SLES-CHOST-BYOS-GDC Image SLES-CHOST-BYOS-SAP-CCloud Image SLES-EC2 Image SLES-GCE Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-GCE Affected

Share

CVE-2025-39748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy