CVE-2025-40078

Root

Cause

In the Linux kernel's BPF verifier, the sock_addr_is_valid_access function did not explicitly reject accesses to implicit padding fields in the bpf_sock_addr structure. Specifically, offset 60 corresponds to a 4-byte padding field located after msg_src_ip4. When a BPF program attempts to read from this offset, the verifier fails during context access conversion, leading to a kernel warning. [Description]

Exploitation

A local attacker with the ability to load and attach BPF sock_addr programs can craft a program that reads from offset 60 of the context. No special privileges beyond-normal privileges are required for such BPF operations, making the attack surface accessible to unprivileged users in some configurations. The syzkaller fuzzer reproduced this issue, demonstrating that the verifier does not properly sanitize field access, causing a kernel BUG or warning. [Description]

Impact

When triggered, the vulnerability results in a kernel warning and potentially a crash due to verifier bug, effectively causing a denial-of-service (DoS) condition on the affected system. While the kernel remains functional after a warning, repeated triggering degrades reliability and may escalate to a full system panic depending on the configuration.

Mitigation

Patches have been merged into the Linux kernel stable tree, as shown in commit references [1], [2], [3], and [4]. System administrators should apply the latest stable kernel updates from their distribution to resolve the issue. No workaround exists beyond restricting BPF access via kernel.unprivileged_bpf_disabled sysctl. [1][2][3][4]