CVE-2025-39748

MEDIUM
2025-09-11 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch Released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Sep 11, 2025 - 17:15 nvd
MEDIUM 5.5

Tags

Linux Kernel Denial Of Service Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program. 0: call bpf_get_netns_cookie 1: if r0 == 0 goto <exit> 2: if r0 & Oxffffffff goto <exit> The issue is on the path where we fall through both jumps. That path is unreachable at runtime: after insn 1, we know r0 != 0, but with the sign extension on the jset, we would only fallthrough insn 2 if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to figure this out, so the verifier walks all branches. The verifier then refines the register bounds using the second condition and we end up with inconsistent bounds on this unreachable path: 1: if r0 == 0 goto <exit> r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) 2: if r0 & 0xffffffff goto <exit> r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0) Improving the range refinement for JSET to cover all cases is tricky. We also don't expect many users to rely on JSET given LLVM doesn't generate those instructions. So instead of improving the range refinement for JSETs, Eduard suggested we forget the ranges whenever we're narrowing tnums after a JSET. This patch implements that approach.

Analysis

Linux kernel BPF verifier fails to properly handle range invariants when refining register bounds following JSET (bitwise AND test) instructions, allowing local privileged users to trigger kernel warnings and cause denial of service. The vulnerability affects all Linux kernel versions with BPF subsystem support across multiple kernel branches. While EPSS probability is very low (0.02%, percentile 5%), the issue manifests as a kernel warning on unreachable code paths that the verifier incorrectly traverses, and patches are available from upstream kernel repositories.

Technical Context

The vulnerability exists in the Linux kernel's BPF verifier component (bpf subsystem), specifically in the register range refinement logic following JSET instructions. The BPF verifier performs static analysis of eBPF programs to ensure safety before execution. When processing conditional branches (particularly JSET operations which test bitwise AND conditions), the verifier tracks register value ranges using two parallel representations: concrete ranges (u64 bounds) and symbolic ranges (var_off tnum). The bug occurs when the verifier fails to recognize that certain code paths are logically unreachable (e.g., when r0 must be non-zero after the first condition but the JSET would only fall-through if r0 equals zero). This causes the verifier to walk unreachable paths and apply range refinement that creates inconsistent state: the tnum is narrowed (var_off changes from 0xffffffffffffffff to 0) while the concrete range is simultaneously tightened (u64 bounds go from [0x1, 0xffffffffffffffff] to [0x1, 0]), violating internal consistency invariants. Affected products are identified via CPE cpe:2.3:o:linux:linux_kernel with all version and configuration combinations.

Affected Products

Linux kernel versions across all supported branches are affected, as identified by CPE cpe:2.3:o:linux:linux_kernel. The vulnerability impacts the BPF verifier subsystem present in all modern kernel releases. Ubuntu addresses this vulnerability in security notice USN-8126-1. Specific patched commits are available across multiple kernel stable branches: kernel version references include commits 0643aa2468192a4d81326e8e76543854870b1ee2, 2fd0c26bacd90ef26522bd3169000a4715bf151f, 591c788d16046edb0220800bf1819554af5853ce, 6279846b9b2532e1b04559ef8bd0dec049f29383, 80a6b11862a7cfdf691e8f9faee89cfea219f098, and f01e06930444cab289a8783017af9b64255bd103. No specific version number range is provided in vendor data, indicating all versions with BPF support may be affected.

Remediation

Upgrade to a patched Linux kernel version released after the fix commits (0643aa2468192a4d81326e8e76543854870b1ee2 and related commits across stable branches). For Ubuntu systems, apply security updates from USN-8126-1. Alternatively, apply the upstream kernel patch directly by cherry-picking commit 2fd0c26bacd90ef26522bd3169000a4715bf151f or equivalent from vendor repositories at git.kernel.org/stable. Until patching is possible, restrict local user access to BPF program loading via syscall filters (seccomp) or disable unprivileged BPF operations via kernel parameters (kernel.unprivileged_bpf_disabled=2) to limit exposure, though this only reduces attack surface rather than eliminating the vulnerability for privileged users.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2025-39748 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy