CVE-2025-38502
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-16

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context: ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf); For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access. To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-16
Last Modified
2025-11-03
Generated
2026-05-27
AI Q&A
2025-08-16
EPSS Evaluated
2026-05-25
NVD
CVE-2025-38502
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.1.153
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an out-of-bounds (OOB) access issue in the Linux kernel's eBPF subsystem related to cgroup local storage. It occurs when two eBPF programs use cgroup local storage with different value sizes and one program performs a tail call into the other. Although each program is individually verified as safe, at runtime the second program may access the first program's cgroup local storage map due to how the runtime context is handled. This mismatch in storage sizes can lead to unintended out-of-bounds memory access, potentially causing memory corruption or crashes. The fix involves extending the bpf_map_owner structure to correctly match storage maps between programs during tail calls, preventing this OOB access.


How can this vulnerability impact me? :

This vulnerability can lead to out-of-bounds memory access in the Linux kernel when using eBPF programs with cgroup local storage and tail calls. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges within the kernel context, depending on the exploitation scenario. Therefore, it poses a risk to system security and reliability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart