CVE-2025-38723
Description
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: BPF: Fix jump offset calculation in tailcall
The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by
"#define jmp_offset (out_offset - (cur_offset))"
is a negative number, which is wrong. The final generated assembly are as follow.
54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c
Before apply this patch, the follow test case will reveal soft lock issues.
cd tools/testing/selftests/bpf/ ./test_progs --allow=tailcalls/tailcall_bpf2bpf_1
dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A flaw in the Linux kernel's BPF JIT for LoongArch causes incorrect jump offset miscalculation in tail calls, leading to soft lockups.
Vulnerability
In the Linux kernel, a vulnerability was found in the BPF JIT compiler for the LoongArch architecture. The issue occurs during the extra pass of bpf_int_jit_compile(), which skips JIT context initialization. This omission leaves out_offset set to -1, causing the jmp_offset in emit_bpf_tail_call to be calculated as a negative number. The resulting assembly instructions contain incorrect jump offsets, as shown in the official description shows.
##The vulnerability is triggered when a BPF program uses tail calls. The incorrect jump offset calculation leads to malformed jump instructions in the generated native code. The attack surface is limited to systems running the Linux kernel on LoongArch architecture that load and execute BPF programs with tail calls. No special privileges are required beyond the ability to load BPF programs, which typically requires CAP_BPF or root access.
##The impact of this vulnerability is a system soft lockup, as demonstrated by the tailcalls/tailcall_bpf2bpf_2bpf_1 test in the BPF selftests. The malformed jump instructions cause the CPU to enter an infinite loop or stall, leading to a denial of service condition. The kernel watchdog reports a soft lockup, effectively freezing the affected CPU core.
##The fix has been applied to the Linux kernel stable tree. Patches are available in commits such as `9262e3e04621, 1a782fa32e64, and cd39d9e6b7e4 [2][3][4]. Users should update their kernels to include these patches. The vulnerability is also listed in Siemens advisory SSA-032379 as affecting SIMATIC CN 4100 devices [1], indicating that downstream products may need updates.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/17c010fe45def335fe03a0718935416b04c7f349nvdPatch
- git.kernel.org/stable/c/1a782fa32e644aa9fbae6c8488f3e61221ac96e1nvdPatch
- git.kernel.org/stable/c/9262e3e04621558e875eb5afb5e726b648cd5949nvdPatch
- git.kernel.org/stable/c/cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3nvdPatch
- git.kernel.org/stable/c/f2b5e50cc04d7a049b385bc1c93b9cbf5f10c94fnvdPatch
- git.kernel.org/stable/c/f83d469e16bb1f75991ca67c56786fb2aaa42beanvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories