CVE-2025-39990

Vulnerability

The Linux kernel's BPF (Berkeley Packet Filter) verifier, responsible for ensuring safe execution of BPF programs, contained a potential NULL pointer dereference in the get_helper_proto function. This occurred when a helper function pointer was NULL because its corresponding kernel configuration option was disabled [1]. The kernel test robot detected the bug during fuzzing [1].

Exploitation

To trigger this vulnerability, a local attacker would need the ability to load BPF programs into the kernel (i.e., the CAP_BPF capability or root privileges). If a BPF program used a helper function that was disabled (e.g., due to a kernel config setting), the function pointer could be NULL, leading to a NULL pointer dereference in the verifier. This could cause a kernel crash (denial of service) or potentially be leveraged for privilege escalation if the attacker could control the dereferenced memory [1].

Impact

A successful exploit could lead to a kernel crash, leading to denial of service. In some configurations, it might be possible to achieve arbitrary code execution if the attacker can control the data at the NULL pointer offset, though this is more difficult with modern kernel protections [1]. The tail_call helper function was explicitly marked with BPF_PTR_POISON to prevent its accidental use, as it is intentionally unused by design [1].

Mitigation

The fix was applied to the Linux kernel stable tree and is available in the referenced commit [1]. System administrators should apply the latest kernel updates to protect against this vulnerability. As the bug requires local access to load BPF programs, restricting access to the bpf() system call can mitigate the risk if immediate patching is not possible.