CVE-2025-38723
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix jump offset calculation in tailcall The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by "#define jmp_offset (out_offset - (cur_offset))" is a negative number, which is wrong. The final generated assembly are as follow. 54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c Before apply this patch, the follow test case will reveal soft lock issues. cd tools/testing/selftests/bpf/ ./test_progs --allow=tailcalls/tailcall_bpf2bpf_1 dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-09-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38723
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux 6.1.153
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's LoongArch BPF implementation is due to an incorrect jump offset calculation in the tailcall feature. Specifically, an extra pass in the bpf_int_jit_compile() function skips the JIT context initialization, causing the offset calculation to be incorrect (out_offset = -1). This results in a negative jump offset, which leads to incorrect assembly code generation. This flaw can cause soft lockups (CPU hangs) when running certain BPF test programs that use tailcalls.


How can this vulnerability impact me? :

This vulnerability can cause a soft lockup in the CPU, meaning the CPU can become stuck or unresponsive for an extended period (e.g., 26 seconds as observed in the test case). This can lead to system instability or denial of service when running affected BPF programs that use tailcalls on the LoongArch architecture.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by running the provided test case in the Linux kernel source tree under tools/testing/selftests/bpf/. Specifically, execute the command: cd tools/testing/selftests/bpf/ && ./test_progs --allow=tailcalls/tailcall_bpf2bpf_1. If the system is vulnerable, dmesg will show a soft lockup message such as: 'watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]'.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to apply the patch that fixes the jump offset calculation in the LoongArch BPF tailcall implementation in the Linux kernel. Until the patch is applied, avoid running BPF programs that use tailcalls on affected systems to prevent soft lockups.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart