CVE-2025-40169
Linux Kernel - BPF Verifier Bypass via Negative ALU Offset
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject negative offsets for ALU ops When verifying BPF programs, the check_alu_op() function validates instructions with ALU operations. The 'offset' field in these instructions is a signed 16-bit integer. The existing check 'insn->off > 1' was intended to ensure the offset is either 0, or 1 for BPF_MOD/BPF_DIV. However, because 'insn->off' is signed, this check incorrectly accepts all negative values (e.g., -1). This commit tightens the validation by changing the condition to '(insn->off != 0 && insn->off != 1)'. This ensures that any value other than the explicitly permitted 0 and 1 is rejected, hardening the verifier against malformed BPF programs.
References (4)
Core 4
Core References
Scores
EPSS
0.0018
EPSS Percentile
8.1%
Details
Status
published
Products (13)
linux/Kernel
6.13.0 - 6.17.3linux
linux/Kernel
6.6.0 - 6.6.112linux
linux/Kernel
6.7.0 - 6.12.53linux
Linux/Linux
< 6.6
Linux/Linux
6.12.53 - 6.12.*
Linux/Linux
6.17.3 - 6.17.*
Linux/Linux
6.18
Linux/Linux
6.6
Linux/Linux
6.6.112 - 6.6.*
Linux/Linux
ec0e2da95f72d4a46050a4d994e4fe471474fd80 - 21167bf70dbe400563e189ac632258d35eda38b5
... and 3 more
Published
Nov 12, 2025
Tracked Since
Feb 18, 2026