-
CVE-2025-38502
- EPSS 0.05%
- Veröffentlicht 16.08.2025 09:34:25
- Zuletzt bearbeitet 09.09.2025 17:15:44
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- Teams Watchlist Login
- Unerledigt Login
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix oob access in cgroup local storage
Lonial reported that an out-of-bounds access in cgroup local storage
can be crafted via tail calls. Given two programs each utilizing a
cgroup local storage with a different value size, and one program
doing a tail call into the other. The verifier will validate each of
the indivial programs just fine. However, in the runtime context
the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
BPF program as well as any cgroup local storage flavor the program
uses. Helpers such as bpf_get_local_storage() pick this up from the
runtime context:
ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
storage = ctx->prog_item->cgroup_storage[stype];
if (stype == BPF_CGROUP_STORAGE_SHARED)
ptr = &READ_ONCE(storage->buf)->data[0];
else
ptr = this_cpu_ptr(storage->percpu_buf);
For the second program which was called from the originally attached
one, this means bpf_get_local_storage() will pick up the former
program's map, not its own. With mismatching sizes, this can result
in an unintended out-of-bounds access.
To fix this issue, we need to extend bpf_map_owner with an array of
storage_cookie[] to match on i) the exact maps from the original
program if the second program was using bpf_get_local_storage(), or
ii) allow the tail call combination if the second program was not
using any of the cgroup local storage maps.Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version <
c1c74584b9b4043c52e41fec415226e582d266a3
Version
7d9c3427894fe70d1347b4820476bf37736d2ff0
Status
affected
Version <
66da7cee78590259b400e51a70622ccd41da7bb2
Version
7d9c3427894fe70d1347b4820476bf37736d2ff0
Status
affected
Version <
7acfa07c585e3d7a64654d38f0a5c762877d0b9b
Version
7d9c3427894fe70d1347b4820476bf37736d2ff0
Status
affected
Version <
41688d1fc5d163a6c2c0e95c0419e2cb31a44648
Version
7d9c3427894fe70d1347b4820476bf37736d2ff0
Status
affected
Version <
19341d5c59e8c7e8528e40f8663e99d67810473c
Version
7d9c3427894fe70d1347b4820476bf37736d2ff0
Status
affected
Version <
abad3d0bad72a52137e0c350c59542d75ae4f513
Version
7d9c3427894fe70d1347b4820476bf37736d2ff0
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
5.9
Status
affected
Version <
5.9
Version
0
Status
unaffected
Version <=
5.15.*
Version
5.15.192
Status
unaffected
Version <=
6.1.*
Version
6.1.151
Status
unaffected
Version <=
6.6.*
Version
6.6.105
Status
unaffected
Version <=
6.12.*
Version
6.12.46
Status
unaffected
Version <=
6.16.*
Version
6.16.1
Status
unaffected
Version <=
*
Version
6.17-rc1
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.155 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|