CVE-2025-38502

EUVD-2025-25076
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix oob access in cgroup local storage

Lonial reported that an out-of-bounds access in cgroup local storage
can be crafted via tail calls. Given two programs each utilizing a
cgroup local storage with a different value size, and one program
doing a tail call into the other. The verifier will validate each of
the indivial programs just fine. However, in the runtime context
the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
BPF program as well as any cgroup local storage flavor the program
uses. Helpers such as bpf_get_local_storage() pick this up from the
runtime context:

  ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
  storage = ctx->prog_item->cgroup_storage[stype];

  if (stype == BPF_CGROUP_STORAGE_SHARED)
    ptr = &READ_ONCE(storage->buf)->data[0];
  else
    ptr = this_cpu_ptr(storage->percpu_buf);

For the second program which was called from the originally attached
one, this means bpf_get_local_storage() will pick up the former
program's map, not its own. With mismatching sizes, this can result
in an unintended out-of-bounds access.

To fix this issue, we need to extend bpf_map_owner with an array of
storage_cookie[] to match on i) the exact maps from the original
program if the second program was using bpf_get_local_storage(), or
ii) allow the tail call combination if the second program was not
using any of the cgroup local storage maps.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
siemens-SADPADP
7.1 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.9 ≤
𝑥
< 5.15.192
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.151
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.105
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.46
linuxlinux_kernel
6.13 ≤
𝑥
< 6.16.1
debiandebian_linux
11.0
siemenssimatic_cn_4100_firmware
𝑥
< 5.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
SiemensSIMATIC CN 4100
𝑥
< V5.0
ADP
siemenssimatic_cn_4100
𝑥
< 5.0
ADP
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.176-1
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
forky
7.0.13-1
fixed
sid
7.1.3-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.95-1
fixed
linux-6.1
bullseye (security)
6.1.176-1~deb11u1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
bpftool-debuginfo
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
bpftool6.12
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
bpftool6.12-debuginfo
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-debuginfo
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-debuginfo-common-aarch64
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-debuginfo-common-x86_64
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-devel
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-headers
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-libbpf
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-libbpf-debuginfo
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-libbpf-devel
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-libbpf-static
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-livepatch-6.1.153-175.280
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.12.46-66.121
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-modules-extra
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-modules-extra-common
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-tools
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-tools-debuginfo
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel-tools-devel
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
kernel6.12
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-devel
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-headers
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-libbpf
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-libbpf-debuginfo
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-libbpf-devel
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-libbpf-static
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-modules-extra-common
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-tools
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-tools-debuginfo
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
kernel6.12-tools-devel
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
perf
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
perf-debuginfo
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
perf6.12
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
python3-perf
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
python3-perf-debuginfo
Amazon Linux 2023
1:6.1.153-175.280.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
1:6.12.46-66.121.amzn2023
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.112.1-1.azl3
fixed
CBL-Mariner 2.0
0:5.15.200.1-1.cm2
fixed