CVE-2025-38591: bpf: Reject narrower access to pointer ctx fields
In the Linux kernel, the following vulnerability has been resolved:
bpf: Reject narrower access to pointer ctx fields
The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:
r0 = *(u8 *)(r1 + 169);
exit;
With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. Note that for the
"is_narrower_load" case in the convert_ctx_accesses(), the insn->off
is aligned, so the cnt may not be 0 because it matches the
offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,
the target_size stays 0 and the verifier errors with a kernel warning:
verifier bug: error during ctx access conversion(1)
This patch fixes that to return a proper "invalid bpf_context access
off=X size=Y" error on the load instruction.
The same issue affects multiple other fields in context structures that
allow narrow access. Some other non-affected fields (for sk_msg,
sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
consistency.
Note this syzkaller crash was reported in the "Closes" link below, which
used to be about a different bug, fixed in
commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions
in insn_def_regno()"). Because syzbot somehow confused the two bugs,
the new crash and repro didn't get reported to the mailing list.
Security readout for executives and security teams
Plain-English summary
CVE-2025-38591 is a Linux kernel BPF verifier bug. A specially formed BPF program can trigger a kernel warning during context access conversion. The public record describes a fix that turns this into a proper invalid-access rejection, but it does not provide CVSS severity, impact beyond the warning, or evidence of exploitation.
Executive priority
Treat this as a kernel hygiene and exposure-management item unless your environment permits broad BPF use. Patch through normal kernel maintenance, and escalate only if vendor guidance later confirms meaningful impact or exploitability.
Technical view
The bug occurs when narrower loads target pointer fields in BPF context structures, such as __sk_buff.sk. Validation allowed the access, but conversion later failed with a verifier warning. The kernel fix rejects these narrower pointer-field accesses earlier with an invalid bpf_context access error. Multiple context fields were adjusted.
Likely exposure
Linux systems running affected kernel versions with reachable BPF program loading are the relevant exposure area. The source lists Linux as affected across multiple kernel version lines, but does not map vendor distributions or configurations.
Exploitation context
No active exploitation is stated. KEV is false, and the provided sources describe a syzkaller-discovered crash/repro rather than real-world exploitation. The record does not state remote exploitability, privilege requirements, or business impact.
Researcher notes
The evidence supports a verifier correctness issue found by syzkaller. The public bundle lacks CVSS, CWE, privilege assumptions, and exploit impact. Analysis should focus on fixed commits, affected kernel branches, and whether local policy permits BPF program loading.
Mitigation direction
Apply Linux kernel updates containing the referenced stable commits when available from your vendor.
Track vendor advisories for fixed package versions and backport status.
Limit BPF program loading to trusted administrative paths where operationally feasible.
Prioritize systems where untrusted users or services can influence BPF loading.
Validation and detection
Inventory Linux kernel versions across servers, containers hosts, and appliances.
Compare installed kernels against vendor advisories for CVE-2025-38591.
Confirm whether relevant stable fixes are present in your kernel changelog.
Review which users or services can load BPF programs.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-38591 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.