Home

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: handle jset (if a & b ...) as a jump in CFG computation BPF_JSET is a conditional jump and currently verifier.c:can_jump() does not know about that. This can lead to incorrect live registers and SCC computation. E.g. in the following example: 1: r0 = 1; 2: r2 = 2; 3: if r1 & 0x7 goto +1; 4: exit; 5: r0 = r2; 6: exit; W/o this fix insn_successors(3) will return only (4), a jump to (5) would be missed and r2 won't be marked as alive at (3).

PUBLISHED Reserved 2025-04-16 | Published 2025-08-19 | Updated 2025-09-29 | Assigner Linux

Product status

Default status
unaffected

14c8552db64476ffc27c13dc6652fc0dac31c0ba before 65eb166b8636365ad3d6e36d50a7c5edfe6cc66e
affected

14c8552db64476ffc27c13dc6652fc0dac31c0ba before 261b30ad1516f4b9edd500aa6e8d6315c8fc109a
affected

14c8552db64476ffc27c13dc6652fc0dac31c0ba before 3157f7e2999616ac91f4d559a8566214f74000a5
affected

Default status
affected

6.15
affected

Any version before 6.15
unaffected

6.15.10
unaffected

6.16.1
unaffected

6.17
unaffected

References

git.kernel.org/...c/65eb166b8636365ad3d6e36d50a7c5edfe6cc66e

git.kernel.org/...c/261b30ad1516f4b9edd500aa6e8d6315c8fc109a

git.kernel.org/...c/3157f7e2999616ac91f4d559a8566214f74000a5

cve.org (CVE-2025-38607)

nvd.nist.gov (CVE-2025-38607)

Download JSON