{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2025-38591", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.026Z", "datePublished": "2025-08-19T17:03:12.508Z", "dateUpdated": "2026-06-11T18:44:11.247Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:31:12.628Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n r0 = *(u8 *)(r1 + 169);\n exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn't match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn->off\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn't get reported to the mailing list." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "kernel/bpf/cgroup.c", "net/core/filter.c" ], "versions": [ { "version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0", "lessThan": "7847c4140e06f6e87229faae22cc38525334c156", "status": "affected", "versionType": "git" }, { "version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0", "lessThan": "feae34c992eb7191862fb1594c704fbbf650fef8", "status": "affected", "versionType": "git" }, { "version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0", "lessThan": "33660d44e789edb4f303210c813fc56d56377a90", "status": "affected", "versionType": "git" }, { "version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0", "lessThan": "058a0da4f6d916a79b693384111bb80a90d73763", "status": "affected", "versionType": "git" }, { "version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0", "lessThan": "202900ceeef67458c964c2af6e1427c8e533ea7c", "status": "affected", "versionType": "git" }, { "version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0", "lessThan": "e09299225d5ba3916c91ef70565f7d2187e4cca0", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "kernel/bpf/cgroup.c", "net/core/filter.c" ], "versions": [ { "version": "4.13", "status": "affected" }, { "version": "0", "lessThan": "4.13", "status": "unaffected", "versionType": "semver" }, { "version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.12.67", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.16.1", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "5.10.249" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "5.15.199" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.1.162" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.12.67" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.16.1" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.17" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/7847c4140e06f6e87229faae22cc38525334c156" }, { "url": "https://git.kernel.org/stable/c/feae34c992eb7191862fb1594c704fbbf650fef8" }, { "url": "https://git.kernel.org/stable/c/33660d44e789edb4f303210c813fc56d56377a90" }, { "url": "https://git.kernel.org/stable/c/058a0da4f6d916a79b693384111bb80a90d73763" }, { "url": "https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c" }, { "url": "https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0" } ], "title": "bpf: Reject narrower access to pointer ctx fields", "x_generator": { "engine": "bippy-1.2.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "id": "CVE-2025-38591", "role": "CISA Coordinator", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "version": "2.0.3", "timestamp": "2026-06-10T20:41:20.077651Z" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T18:44:11.247Z" } } ] } }