CVE-2025-40143

NONE EPSS 11.9%
Published Nov 12, 20257mo ago · Modified Jun 17, 20262w ago
Find Similar
Published Nov 12, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: dont report verifier bug for missing bpf_scc_visit on speculative path Syzbot generated a program that triggers a verifier_bug() call in maybe_exit_scc(). maybe_exit_scc() assumes that, when called for a state with insn_idx in some SCC, there should be an instance of struct bpf_scc_visit allocated for that SCC. Turns out the assumption does not hold for speculative execution paths. See example in the next patch. maybe_scc_exit() is called from update_branch_counts() for states that reach branch count of zero, meaning that path exploration for a particular path is finished. Path exploration can finish in one of three ways: a. Verification error is found. In this case, update_branch_counts() is called only for non-speculative paths. b. Top level BPF_EXIT is reached. Such instructions are never a part of an SCC, so compute_scc_callchain() in maybe_scc_exit() will return false, and maybe_scc_exit() will return early. c. A checkpoint is reached and matched. Checkpoints are created by is_state_visited(), which calls maybe_enter_scc(), which allocates bpf_scc_visit instances for checkpoints within SCCs. Hence, for non-speculative symbolic execution paths, the assumption still holds: if maybe_scc_exit() is called for a state within an SCC, bpf_scc_visit instance must exist. This patch removes the verifier_bug() call for speculative paths.

Threat Intelligence

EPSS Exploit Probability
11.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 2

  • git.kernel.org https://git.kernel.org/stable/c/3861e7c4324aa20a632fb74eb3904114f6afdb57
  • git.kernel.org https://git.kernel.org/stable/c/a3c73d629ea1373af3c0c954d41fd1af555492e3

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.