CVE-2025-38586

MEDIUM

Linux Kernel 6.12-6.12.41, 6.13-6.15.9, 6.16 - Null Pointer Dereference in ARM64 BPF JIT Exception Boundary Handling

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix fp initialization for exception boundary In the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF program, find_used_callee_regs() is not called because for a program acting as exception boundary, all callee saved registers are saved. find_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP being used in any of the instructions. For programs acting as exception boundary, ctx->fp_used remains false even if frame pointer is used by the program and therefore, FP is not set-up for such programs in the prologue. This can cause the kernel to crash due to a pagefault. Fix it by setting ctx->fp_used = true for exception boundary programs as fp is always saved in such programs.

References (4)

Core 4

Scores

CVSS v3 5.5
EPSS 0.0014
EPSS Percentile 4.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (14)
linux/Kernel 6.12.0 - 6.12.42linux
linux/Kernel 6.13.0 - 6.15.10linux
linux/Kernel 6.16.0 - 6.16.1linux
Linux/Linux < 6.12
Linux/Linux 5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff - 0dbef493cae7d451f740558665893c000adb2321
Linux/Linux 5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff - 1ce30231e0a2c8c361ee5f8f7f265fc17130adce
Linux/Linux 5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff - b114fcee766d5101eada1aca7bb5fd0a86c89b35
Linux/Linux 5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff - e23184725dbb72d5d02940222eee36dbba2aa422
Linux/Linux 6.12
Linux/Linux 6.12.42 - 6.12.*
... and 4 more
Published Aug 19, 2025
Tracked Since Feb 18, 2026