CVE-2025-38591

MEDIUM EPSS 7.7%
Published Aug 19, 202510mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Aug 19, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_narrower_load" case in the convert_ctx_accesses(), the insn->off is aligned, so the cnt may not be 0 because it matches the offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However, the target_size stays 0 and the verifier errors with a kernel warning: verifier bug: error during ctx access conversion(1) This patch fixes that to return a proper "invalid bpf_context access off=X size=Y" error on the load instruction. The same issue affects multiple other fields in context structures that allow narrow access. Some other non-affected fields (for sk_msg, sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for consistency. Note this syzkaller crash was reported in the "Closes" link below, which used to be about a different bug, fixed in commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow confused the two bugs, the new crash and repro didn't get reported to the mailing list.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
7.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 1

VendorProductVersionRange
linuxlinux_kernel*≥4.13  –  <6.16.1

References 6

  • git.kernel.org https://git.kernel.org/stable/c/058a0da4f6d916a79b693384111bb80a90d73763
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/33660d44e789edb4f303210c813fc56d56377a90
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7847c4140e06f6e87229faae22cc38525334c156
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/feae34c992eb7191862fb1594c704fbbf650fef8
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/058a0da4f6d916a79b693384111bb80a90d73763
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/33660d44e789edb4f303210c813fc56d56377a90
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7847c4140e06f6e87229faae22cc38525334c156
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/feae34c992eb7191862fb1594c704fbbf650fef8
    Patch