CVE-2025-38591
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-19

Last updated on: 2026-03-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_narrower_load" case in the convert_ctx_accesses(), the insn->off is aligned, so the cnt may not be 0 because it matches the offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However, the target_size stays 0 and the verifier errors with a kernel warning: verifier bug: error during ctx access conversion(1) This patch fixes that to return a proper "invalid bpf_context access off=X size=Y" error on the load instruction. The same issue affects multiple other fields in context structures that allow narrow access. Some other non-affected fields (for sk_msg, sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for consistency. Note this syzkaller crash was reported in the "Closes" link below, which used to be about a different bug, fixed in commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow confused the two bugs, the new crash and repro didn't get reported to the mailing list.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-19
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2025-08-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38591
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can cause kernel warnings and verifier bugs when running certain BPF programs that perform improper narrower pointer accesses. This may lead to instability or crashes in the kernel's BPF verifier, potentially affecting system reliability and security when using BPF programs that interact with network packet buffers.


Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's BPF subsystem involves improper handling of narrower access to pointer context fields. Specifically, a BPF program can perform a narrower read on a pointer field in the __sk_buff structure that is not properly validated, leading to a kernel warning and verifier bug during context access conversion. The issue arises because the verifier allows certain narrower reads that do not match expected offsets, causing incorrect validation and potential kernel warnings or crashes. The patch fixes this by returning a proper invalid access error for such loads.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart