{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38591","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.026Z","datePublished":"2025-08-19T17:03:12.508Z","dateUpdated":"2026-05-11T21:31:12.628Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:31:12.628Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n    r0 = *(u8 *)(r1 + 169);\n    exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn't match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn->off\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n    verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn't get reported to the mailing list."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/cgroup.c","net/core/filter.c"],"versions":[{"version":"f96da09473b52c09125cc9bf7d7d4576ae8229e0","lessThan":"7847c4140e06f6e87229faae22cc38525334c156","status":"affected","versionType":"git"},{"version":"f96da09473b52c09125cc9bf7d7d4576ae8229e0","lessThan":"feae34c992eb7191862fb1594c704fbbf650fef8","status":"affected","versionType":"git"},{"version":"f96da09473b52c09125cc9bf7d7d4576ae8229e0","lessThan":"33660d44e789edb4f303210c813fc56d56377a90","status":"affected","versionType":"git"},{"version":"f96da09473b52c09125cc9bf7d7d4576ae8229e0","lessThan":"058a0da4f6d916a79b693384111bb80a90d73763","status":"affected","versionType":"git"},{"version":"f96da09473b52c09125cc9bf7d7d4576ae8229e0","lessThan":"202900ceeef67458c964c2af6e1427c8e533ea7c","status":"affected","versionType":"git"},{"version":"f96da09473b52c09125cc9bf7d7d4576ae8229e0","lessThan":"e09299225d5ba3916c91ef70565f7d2187e4cca0","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/cgroup.c","net/core/filter.c"],"versions":[{"version":"4.13","status":"affected"},{"version":"0","lessThan":"4.13","status":"unaffected","versionType":"semver"},{"version":"5.10.249","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.199","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.162","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.12.67","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.10.249"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.15.199"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.1.162"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.12.67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7847c4140e06f6e87229faae22cc38525334c156"},{"url":"https://git.kernel.org/stable/c/feae34c992eb7191862fb1594c704fbbf650fef8"},{"url":"https://git.kernel.org/stable/c/33660d44e789edb4f303210c813fc56d56377a90"},{"url":"https://git.kernel.org/stable/c/058a0da4f6d916a79b693384111bb80a90d73763"},{"url":"https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c"},{"url":"https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0"}],"title":"bpf: Reject narrower access to pointer ctx fields","x_generator":{"engine":"bippy-1.2.0"}}}}