CVE-2025-39748

EPSS 0.02%
Published 11.09.2025 16:52:20
Last modified 15.09.2025 15:22:38
Source 416baaa9-dc9f-4396-8d5f-8c081f
Teams watchlist Login
Open Login

In the Linux kernel, the following vulnerability has been resolved:

bpf: Forget ranges when refining tnum after JSET

Syzbot reported a kernel warning due to a range invariant violation on
the following BPF program.

  0: call bpf_get_netns_cookie
  1: if r0 == 0 goto <exit>
  2: if r0 & Oxffffffff goto <exit>

The issue is on the path where we fall through both jumps.

That path is unreachable at runtime: after insn 1, we know r0 != 0, but
with the sign extension on the jset, we would only fallthrough insn 2
if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to
figure this out, so the verifier walks all branches. The verifier then
refines the register bounds using the second condition and we end
up with inconsistent bounds on this unreachable path:

  1: if r0 == 0 goto <exit>
    r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff)
  2: if r0 & 0xffffffff goto <exit>
    r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0)
    r0 after reg_bounds_sync:  u64=[0x1, 0] var_off=(0, 0)

Improving the range refinement for JSET to cover all cases is tricky. We
also don't expect many users to rely on JSET given LLVM doesn't generate
those instructions. So instead of improving the range refinement for
JSETs, Eduard suggested we forget the ranges whenever we're narrowing
tnums after a JSET. This patch implements that approach.

Affected products Warnungen 0 Metrics 1 CWE 0 References 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorLinux

≫

Product Linux

Default Statusunaffected

Version < f01e06930444cab289a8783017af9b64255bd103

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Status affected

Version < 2fd0c26bacd90ef26522bd3169000a4715bf151f

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Status affected

Version < 80a6b11862a7cfdf691e8f9faee89cfea219f098

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Status affected

Version < 6279846b9b2532e1b04559ef8bd0dec049f29383

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Status affected

VendorLinux

≫

Product Linux

Default Statusaffected

Version <= 6.12.*

Version 6.12.43

Status unaffected

Version <= 6.15.*

Version 6.15.11

Status unaffected

Version <= 6.16.*

Version 6.16.2

Status unaffected

Version <= *

Version 6.17-rc1

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.046

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string

https://git.kernel.org/stable/c/f01e06930444cab289a8783017af9b64255bd103

https://git.kernel.org/stable/c/2fd0c26bacd90ef26522bd3169000a4715bf151f

https://git.kernel.org/stable/c/80a6b11862a7cfdf691e8f9faee89cfea219f098

https://git.kernel.org/stable/c/6279846b9b2532e1b04559ef8bd0dec049f29383

https://nvd.nist.gov/vuln/detail/CVE-2025-39748

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-39748

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-39748

EUVD