CVE-2025-38591

{"id": "CVE-2025-38591", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-08-19T17:15:36.790", "references": [{"url": "https://git.kernel.org/stable/c/058a0da4f6d916a79b693384111bb80a90d73763", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/33660d44e789edb4f303210c813fc56d56377a90", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7847c4140e06f6e87229faae22cc38525334c156", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/feae34c992eb7191862fb1594c704fbbf650fef8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n r0 = *(u8 *)(r1 + 169);\n exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn't match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn->off\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn't get reported to the mailing list."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Rechazo de acceso m\u00e1s estrecho a campos de puntero ctx. El siguiente programa BPF, simplificado a partir de una reproducci\u00f3n de syzkaller, genera una advertencia del kernel: r0 = *(u8 *)(r1 + 169); exit; Con el campo de puntero sk en el desplazamiento 168 en __sk_buff. Este acceso se detecta como una lectura m\u00e1s estrecha en bpf_skb_is_valid_access porque no coincide con offsetof(struct __sk_buff, sk). Por lo tanto, se permite y posteriormente procede a bpf_convert_ctx_access. Tenga en cuenta que para el caso \"is_narrower_load\" en convert_ctx_accesses(), insn->off est\u00e1 alineado, por lo que cnt puede no ser 0 porque coincide con offsetof(struct __sk_buff, sk) en bpf_convert_ctx_access. Sin embargo, el tama\u00f1o objetivo permanece en 0 y el verificador genera una advertencia del kernel: error del verificador: error durante la conversi\u00f3n de acceso a ctx(1). Este parche corrige este error para devolver un error correcto de \"acceso a bpf_context no v\u00e1lido off=X size=Y\" en la instrucci\u00f3n de carga. El mismo problema afecta a varios campos en las estructuras de contexto que permiten acceso restringido. Algunos campos no afectados (para sk_msg, sk_lookup y sockopt) tambi\u00e9n se modificaron para usar bpf_ctx_range_ptr por consistencia. Tenga en cuenta que este fallo de syzkaller se report\u00f3 en el enlace \"Cierres\" a continuaci\u00f3n, que sol\u00eda referirse a un error diferente, corregido en el commit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()\"). Debido a que syzbot confundi\u00f3 de alguna manera los dos errores, el nuevo fallo y la reproducci\u00f3n no se reportaron a la lista de correo."}], "lastModified": "2026-02-06T17:16:16.533", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB2224FC-84B3-4160-8586-B94DC0B0080B", "versionEndExcluding": "6.16.1", "versionStartIncluding": "4.13"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}