LiveActive security incident?Get immediate response
CVE Record

CVE-2025-38591: bpf: Reject narrower access to pointer ctx fields

In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_narrower_load" case in the convert_ctx_accesses(), the insn->off is aligned, so the cnt may not be 0 because it matches the offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However, the target_size stays 0 and the verifier errors with a kernel warning: verifier bug: error during ctx access conversion(1) This patch fixes that to return a proper "invalid bpf_context access off=X size=Y" error on the load instruction. The same issue affects multiple other fields in context structures that allow narrow access. Some other non-affected fields (for sk_msg, sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for consistency. Note this syzkaller crash was reported in the "Closes" link below, which used to be about a different bug, fixed in commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow confused the two bugs, the new crash and repro didn't get reported to the mailing list.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2025-38591 is a Linux kernel BPF verifier bug. A specially formed BPF program can trigger a kernel warning during context access conversion. The public record describes a fix that turns this into a proper invalid-access rejection, but it does not provide CVSS severity, impact beyond the warning, or evidence of exploitation.

Executive priority

Treat this as a kernel hygiene and exposure-management item unless your environment permits broad BPF use. Patch through normal kernel maintenance, and escalate only if vendor guidance later confirms meaningful impact or exploitability.

Technical view

The bug occurs when narrower loads target pointer fields in BPF context structures, such as __sk_buff.sk. Validation allowed the access, but conversion later failed with a verifier warning. The kernel fix rejects these narrower pointer-field accesses earlier with an invalid bpf_context access error. Multiple context fields were adjusted.

Likely exposure

Linux systems running affected kernel versions with reachable BPF program loading are the relevant exposure area. The source lists Linux as affected across multiple kernel version lines, but does not map vendor distributions or configurations.

Exploitation context

No active exploitation is stated. KEV is false, and the provided sources describe a syzkaller-discovered crash/repro rather than real-world exploitation. The record does not state remote exploitability, privilege requirements, or business impact.

Researcher notes

The evidence supports a verifier correctness issue found by syzkaller. The public bundle lacks CVSS, CWE, privilege assumptions, and exploit impact. Analysis should focus on fixed commits, affected kernel branches, and whether local policy permits BPF program loading.

Mitigation direction

  • Apply Linux kernel updates containing the referenced stable commits when available from your vendor.
  • Track vendor advisories for fixed package versions and backport status.
  • Limit BPF program loading to trusted administrative paths where operationally feasible.
  • Prioritize systems where untrusted users or services can influence BPF loading.

Validation and detection

  • Inventory Linux kernel versions across servers, containers hosts, and appliances.
  • Compare installed kernels against vendor advisories for CVE-2025-38591.
  • Confirm whether relevant stable fixes are present in your kernel changelog.
  • Review which users or services can load BPF programs.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-38591 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxf96da09473b52c09125cc9bf7d7d4576ae8229e0, f96da09473b52c09125cc9bf7d7d4576ae8229e0, f96da09473b52c09125cc9bf7d7d4576ae8229e0, f96da09473b52c09125cc9bf7d7d4576ae8229e0, f96da09473b52c09125cc9bf7d7d4576ae8229e0, f96da09473b52c09125cc9bf7d7d4576ae8229e0unaffected
LinuxLinux4.13, 0, 5.10.249, 5.15.199, 6.1.162, 6.12.67, 6.16.1, 6.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.