EUVD-2025-208844Lifecycle Timeline
4Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Enable exception fixup for specific ADE subcode This patch allows the LoongArch BPF JIT to handle recoverable memory access errors generated by BPF_PROBE_MEM* instructions. When a BPF program performs memory access operations, the instructions it executes may trigger ADEM exceptions. The kernel’s built-in BPF exception table mechanism (EX_TYPE_BPF) will generate corresponding exception fixup entries in the JIT compilation phase; however, the architecture-specific trap handling function needs to proactively call the common fixup routine to achieve exception recovery. do_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs, ensure safe execution. Relevant test cases: illegal address access tests in module_attach and subprogs_extable of selftests/bpf.
Analysis
This vulnerability is a missing exception fixup handler in the LoongArch architecture's BPF JIT compiler that fails to properly recover from memory access exceptions (ADEM) triggered by BPF_PROBE_MEM* instructions. The Linux kernel on LoongArch systems (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is affected, potentially allowing information disclosure or denial of service when BPF programs attempt to safely probe memory locations. This is not actively exploited (no KEV status), but patches are available across multiple stable kernel branches.
Technical Context
The LoongArch CPU architecture uses ADEM (Address Error Memory) exceptions to signal memory access violations. The Linux kernel implements a BPF exception handling mechanism (EX_TYPE_BPF) that generates fixup entries during BPF JIT compilation to gracefully handle memory access faults from BPF_PROBE_MEM* instructions—a feature intended to allow safe speculative memory reads in eBPF programs. However, the architecture-specific trap handler (do_ade function) was not configured to invoke the common BPF exception recovery routine, leaving JIT-compiled BPF programs unable to recover from ADEM exceptions. This is a missing integration point between the LoongArch exception handling layer and the kernel's cross-architecture BPF exception framework, not a fundamental algorithmic flaw. The root cause relates to incomplete implementation of exception recovery semantics rather than a memory safety or access control bypass.
Affected Products
The Linux kernel across all LoongArch-based systems is affected (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). No specific version range is documented in the CVE description, but patches were applied to stable kernel branches via commits b9d9a221bd14, 73ede654d9da, c49a2806836, c2ed4f71e928, and 9bdc1ab5e4ce as referenced in the git.kernel.org stable repository. Systems running older LoongArch kernels prior to these commits should be considered vulnerable. Consult the Linux stable kernel changelog and your distribution's kernel version mapping to determine exact affected releases.
Remediation
Update the Linux kernel to a version that includes the BPF JIT exception fixup patches for LoongArch. Check your distribution's security advisories and kernel release notes for the specific version that includes commits from the git.kernel.org stable branch references (b9d9a221bd14, 73ede654d9da, c49a2806836, c2ed4f71e928, or 9bdc1ab5e4ce). For systems where immediate kernel updates are not possible, restrict BPF program loading to trusted sources by enforcing CAP_BPF-based access controls and disabling unprivileged BPF loading via the kernel.unprivileged_bpf_disabled sysctl parameter. Validate that any deployed BPF programs do not rely on BPF_PROBE_MEM* instructions to perform memory access error recovery until the patch is applied.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.10.223-1 | - |
| bullseye (security) | vulnerable | 5.10.251-1 | - |
| bookworm | fixed | 6.1.164-1 | - |
| bookworm (security) | fixed | 6.1.164-1 | - |
| trixie | fixed | 6.12.73-1 | - |
| trixie (security) | fixed | 6.12.74-2 | - |
| forky | fixed | 6.19.6-2 | - |
| sid | fixed | 6.19.8-1 | - |
| (unstable) | fixed | 6.18.10-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today