CVE-2025-39748

Vulnerability

CVE-2025-39748 is a vulnerability in the Linux kernel's BPF verifier, specifically in the handling of JSET (jump if set) instructions. The issue arises when the verifier refines register bounds after a JSET condition, potentially creating inconsistent bounds on an unreachable path, leading to a range invariant violation and a kernel warning. The root cause is that the verifier's range refinement for JSET does not account for all cases, particularly when combined with a prior equality check.

Exploitation

To trigger this vulnerability, an attacker would need to craft a BPF program that includes a sequence of conditional jumps: first an equality check (e.g., if r0 == 0), followed by a JSET check (e.g., if r0 & 0xffffffff). The verifier incorrectly analyzes the unreachable path where both conditions are false, leading to inconsistent register bounds. This requires the ability to load and execute a BPF program, which typically requires privileged access (CAP_BPF or root). The attack surface is limited to systems where unprivileged BPF is enabled or where an attacker has already gained sufficient privileges.

Impact

An attacker exploiting this vulnerability could cause a kernel warning (WARN_ON), potentially leading to a denial of service (system crash or hang) due to the kernel's panic-on-warn behavior. The CVSS v3 score is 5.5 (Medium), indicating a moderate severity. There is no evidence of privilege escalation or data corruption beyond the denial-of-service condition.

Mitigation

The fix, implemented in Linux kernel commits [1][2][3], takes a conservative approach: instead of improving the range refinement for JSET (which is complex and rarely used by LLVM), the patch forgets the register ranges whenever the tnum (ternary number) is narrowed after a JSET. This prevents the inconsistent bounds from being propagated. Users should apply the latest stable kernel updates to address this issue.