CVE-2025-38502
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix oob access in cgroup local storage
Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context:
ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype];
if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf);
For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access.
To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a BPF out-of-bounds access in cgroup local storage can be triggered via tail calls when programs use different storage sizes.
Vulnerability
CVE-2025-38502 is an out-of-bounds (OOB) access vulnerability in the Linux kernel's BPF subsystem, specifically in cgroup local storage handling. The root cause lies in how the BPF verifier validates programs individually but fails to account for mismatched storage sizes when a tail call is made between two programs that each use cgroup local storage with different value sizes. At runtime, the bpf_cg_run_ctx structure holds a bpf_prog_array_item that contains the BPF program and its associated cgroup local storage. When a tail call is made from one program to another, the helper bpf_get_local_storage() retrieves the storage from the original program's map, not the second program's own map, leading to an OOB access if the storage sizes differ [1].
Exploitation
To exploit this vulnerability, an attacker must be able to load and execute BPF programs with tail calls, which typically requires root privileges or CAP_BPF and CAP_NET_ADMIN capabilities. The attack surface involves crafting two BPF programs that each use cgroup local storage with different value sizes, and then arranging for one program to tail-call the other. The verifier does not detect this mismatch because it validates each program in isolation, so the OOB access only occurs at runtime when the tail call is executed [1].
Impact
Successful exploitation could allow an attacker to read or write memory beyond the bounds of the intended storage buffer, potentially leading to information disclosure or privilege escalation. The CVSS v3 score of 7.1 (High) reflects the potential for significant impact on confidentiality, integrity, and availability, though exploitation requires elevated privileges [1].
Mitigation
The fix involves extending bpf_map_owner with an array of storage_cookie[] to match the exact maps from the original program, or to allow the tail call combination if the second program does not use any cgroup local storage maps. Patches have been committed to the Linux kernel stable branches [2][3][4]. Users should update to the latest kernel version that includes the fix. The vulnerability is also listed in Siemens' advisory SSA-032379, affecting SIMATIC CN 4100 devices, which should apply the vendor-provided remediation [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 5.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473cnvdPatch
- git.kernel.org/stable/c/41688d1fc5d163a6c2c0e95c0419e2cb31a44648nvdPatch
- git.kernel.org/stable/c/66da7cee78590259b400e51a70622ccd41da7bb2nvdPatch
- git.kernel.org/stable/c/7acfa07c585e3d7a64654d38f0a5c762877d0b9bnvdPatch
- git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513nvdPatch
- git.kernel.org/stable/c/c1c74584b9b4043c52e41fec415226e582d266a3nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories