CVE-2025-38502

HIGH EPSS 4.2%
Published Aug 16, 202510mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Aug 16, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context: ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf); For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access. To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
4.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥5.9  –  <5.15.192
linuxlinux_kernel*≥5.16  –  <6.1.151
linuxlinux_kernel*≥6.2  –  <6.6.105
linuxlinux_kernel*≥6.7  –  <6.12.46
linuxlinux_kernel*≥6.13  –  <6.16.1
debiandebian_linux11.0any
siemenssimatic_cn_4100_firmware* <5.0
siemenssimatic_cn_4100*any

References 8

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-032379.html
    Third Party Advisory
  • git.kernel.org https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/41688d1fc5d163a6c2c0e95c0419e2cb31a44648
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/66da7cee78590259b400e51a70622ccd41da7bb2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7acfa07c585e3d7a64654d38f0a5c762877d0b9b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c1c74584b9b4043c52e41fec415226e582d266a3
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Mailing ListThird Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/41688d1fc5d163a6c2c0e95c0419e2cb31a44648
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/66da7cee78590259b400e51a70622ccd41da7bb2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7acfa07c585e3d7a64654d38f0a5c762877d0b9b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c1c74584b9b4043c52e41fec415226e582d266a3
    Patch