QSearchQSearch

CVE-2025-38502

7.1 HIGH

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an...

Published: 2025-08-16 · Last updated: 2026-06-01

Severity and scoring

CVSS
7.1 HIGH
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE
CWE-125

Affected products

VendorProduct
debiandebian_linux, linux_kernel, simatic_cn_4100_firmware
linuxdebian_linux, linux_kernel, simatic_cn_4100_firmware
siemensdebian_linux, linux_kernel, simatic_cn_4100_firmware

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context: ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf); For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access. To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-46749 A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6) (7.5 HIGH)
  • CVE-2026-46748 A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6) (8.8 HIGH)
  • CVE-2026-46747 A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6) (4.3 MEDIUM)
  • CVE-2026-46746 A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6) (8.8 HIGH)
  • CVE-2026-49975 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)

Same CWE

  • CVE-2026-4367 A flaw was found in libXpm (5.5 MEDIUM)
  • CVE-2026-47963 DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive me... (5.5 MEDIUM)
  • CVE-2026-47934 DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive me... (5.5 MEDIUM)
  • CVE-2026-47927 DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive me... (5.5 MEDIUM)
  • CVE-2026-47748 stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inf... (5.5 MEDIUM)