CVE-2025-38280
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Avoid __bpf_prog_ret0_warn when jit fails
syzkaller reported an issue:
WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Modules linked in: CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Call Trace:
bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 ...
When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable. This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog, but jit failed due to FAULT_INJECTION. As a result, incorrectly treats the program as valid, when the program runs it calls __bpf_prog_ret0_warn and triggers the WARN_ON_ONCE(1).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A flaw in the Linux kernel's BPF verifier can trigger a WARN_ON and crash when JIT compilation fails.
Description
CVE-2025-38280 is a vulnerability in the Linux kernel's BPF subsystem. The issue occurs when CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is set to 1. Under these conditions, the kernel attempts to JIT compile a BPF program, but if JIT compilation fails due to a condition like FAULT_INJECTION, the program is incorrectly marked as valid. When the program is subsequently run, it invokes __bpf_prog_ret0_warn, which triggers a WARN_ON_ONCE(1) warning [1][2].
Exploitation
The vulnerability can be triggered by an attacker with the ability to load BPF programs and who can influence the JIT compilation process (e.g., through fault injection). The attack does not require user interaction but does require local access or the ability to load BPF programs into the kernel. The attack path involves creating a BPF program and relying on the JIT compilation failure to lead to the warning [2].
Impact
Successful exploitation can result in a kernel panic (denial of service) due to the WARN_ON being triggered, which may cause the system to become unstable or crash. The CVSS v3 score is 7.8 (High), indicating a high severity impact on availability [1].
Mitigation
The vulnerability affects the Linux kernel versions where the bug is present. Patches have been committed to the kernel stable trees to fix the issue by properly handling JIT compilation failures and avoiding the invalid program state. Users should apply the relevant kernel updates or backport the fix from commits such as 0b9bb52796b2 [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 4.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0b9bb52796b239de6792d0d68cdc6eb505ebff96nvdPatch
- git.kernel.org/stable/c/2bc6dffb4b72d53d6a6ada510269bf548c3f7ae0nvdPatch
- git.kernel.org/stable/c/6f639c25bfad17d9fd7379ab91ff9678ea9aac85nvdPatch
- git.kernel.org/stable/c/86bc9c742426a16b52a10ef61f5b721aecca2344nvdPatch
- git.kernel.org/stable/c/e7fb4ebee6e900899d2b2e5852c3e2eafcbcad66nvdPatch
- git.kernel.org/stable/c/ef92b96530d1731d9ac167bc7c193c683cd78fffnvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd
News mentions
0No linked articles in our index yet.