CVE-2025-40078

Linux Kernel - Unauthenticated Use-After-Free via BPF Verifier

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.

Scores

EPSS 0.0022
EPSS Percentile 12.2%

Details

Status published
Products (25)
linux/Kernel 4.18.0 - 5.4.301linux
linux/Kernel 5.11.0 - 5.15.195linux
linux/Kernel 5.16.0 - 6.1.156linux
linux/Kernel 5.5.0 - 5.10.246linux
linux/Kernel 6.13.0 - 6.17.3linux
linux/Kernel 6.2.0 - 6.6.112linux
linux/Kernel 6.7.0 - 6.12.53linux
Linux/Linux < 4.18
Linux/Linux 1cedee13d25ab118d325f95588c1a084e9317229 - 4f00858cd9bbbdf67159e28b85a8ca9e77c83622
Linux/Linux 1cedee13d25ab118d325f95588c1a084e9317229 - 6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec
... and 15 more
Published Oct 28, 2025
Tracked Since Feb 18, 2026