VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2023-54145

CVE-2023-54145

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log

It's trivial for user to trigger "verifier log line truncated" warning, as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at least two pieces of user-provided information that can be output through this buffer, and both can be arbitrarily sized by user: - BTF names; - BTF.ext source code lines strings.

Verifier log buffer should be properly sized for typical verifier state output. But it's sort-of expected that this buffer won't be long enough in some circumstances. So let's drop the check. In any case code will work correctly, at worst truncating a part of a single line output.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A user-triggerable WARN_ONCE in the Linux kernel BPF verifier log was removed to prevent warning when buffer is insufficient.

Vulnerability

In the Linux kernel's BPF verifier, a WARN_ONCE was emitted when the verifier log line was truncated due to a fixed 1024-byte buffer. User-supplied data, such as BTF names or BTF.ext source code lines, could exceed this buffer and trigger the warning. This was deemed unnecessary as the code handles truncation gracefully.

Exploitation

An unprivileged user can supply arbitrarily sized BTF names or source code lines during BPF program verification, causing the verifier log buffer to overflow and trigger the WARN_ONCE. No special privileges or network access are required, making it a trivial denial-of-service vector.

Impact

The WARN_ONCE generates a kernel warning, which may be disruptive but does not compromise confidentiality or integrity. The warning can cause system instability if monitored or logged excessively. The fix removes the warning entirely, as the code already handles truncation correctly.

Mitigation

The vulnerability is fixed in Linux kernel commit cff36398bd4c7d322d424433db437f3c3391c491 [1]. Users are advised to apply the patch or update to a kernel version containing it.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
40c88c429a59
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
926a175026fe
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
cff36398bd4c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.