CVE-2025-22087

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix array bounds error with may_goto may_goto uses an additional 8 bytes on the stack, which causes the interpreters[] array to go out of bounds when calculating index by stack_size. 1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT cases, reject loading directly. 2. For non-JIT cases, calculating interpreters[idx] may still cause out-of-bounds array access, and just warn about it. 3. For jit_requested cases, the execution of bpf_func also needs to be warned. So move the definition of function __bpf_prog_ret0_warn out of the macro definition CONFIG_BPF_JIT_ALWAYS_ON.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/19e6817f84000d0b06f09fd69ebd56217842c122	Patch
https://git.kernel.org/stable/c/1a86ae57b2600e5749f5f674e9d4296ac00c69a8	Patch
https://git.kernel.org/stable/c/4524b7febdd55fb99ae2e1f48db64019fa69e643	Patch
https://git.kernel.org/stable/c/6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2025-04-16 15:16

Updated : 2025-10-31 20:57

NVD link : CVE-2025-22087

Mitre link : CVE-2025-22087

CVE.ORG link : CVE-2025-22087

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2025-22087", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2025-04-16T15:16:02.903", "references": [{"url": "https://git.kernel.org/stable/c/19e6817f84000d0b06f09fd69ebd56217842c122", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1a86ae57b2600e5749f5f674e9d4296ac00c69a8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4524b7febdd55fb99ae2e1f48db64019fa69e643", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix array bounds error with may_goto\n\nmay_goto uses an additional 8 bytes on the stack, which causes the\ninterpreters[] array to go out of bounds when calculating index by\nstack_size.\n\n1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT\ncases, reject loading directly.\n\n2. For non-JIT cases, calculating interpreters[idx] may still cause\nout-of-bounds array access, and just warn about it.\n\n3. For jit_requested cases, the execution of bpf_func also needs to be\nwarned. So move the definition of function __bpf_prog_ret0_warn out of\nthe macro definition CONFIG_BPF_JIT_ALWAYS_ON."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Correcci\u00f3n del error de los l\u00edmites de la matriz con may_goto. may_goto utiliza 8 bytes adicionales en la pila, lo que provoca que la matriz interpreters[] salga de los l\u00edmites al calcular el \u00edndice mediante stack_size. 1. Si se reescribe un programa BPF, reeval\u00fae el tama\u00f1o de la pila. En casos que no sean JIT, rechace la carga directamente. 2. En casos que no sean JIT, el c\u00e1lculo de interpreters[idx] puede seguir provocando un acceso a la matriz fuera de los l\u00edmites y simplemente advertir al respecto. 3. En casos con jit_requested, tambi\u00e9n se debe advertir la ejecuci\u00f3n de bpf_func. Por lo tanto, mueva la definici\u00f3n de la funci\u00f3n __bpf_prog_ret0_warn fuera de la definici\u00f3n de la macro CONFIG_BPF_JIT_ALWAYS_ON."}], "lastModified": "2025-10-31T20:57:00.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10F3EB18-ACA3-4775-AC8D-C1CC227D2763", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}