VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 28, 2025· Updated Apr 15, 2026

CVE-2025-40079

CVE-2025-40079

Description

In the Linux kernel, the following vulnerability has been resolved:

riscv, bpf: Sign extend struct ops return values properly

The ns_bpf_qdisc selftest triggers a kernel panic:

Unable to handle kernel paging request at virtual address ffffffffa38dbf58 Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000 [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000 Oops [#1] Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)] CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024 epc : __qdisc_run+0x82/0x6f0 ra : __qdisc_run+0x6e/0x6f0 epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550 gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180 t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0 s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001 a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000 a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049 s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000 s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0 s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000 s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000 t5 : 0000000000000000 t6 : ff60000093a6a8b6 status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d [] __qdisc_run+0x82/0x6f0 [] __dev_queue_xmit+0x4c0/0x1128 [] neigh_resolve_output+0xd0/0x170 [] ip6_finish_output2+0x226/0x6c8 [] ip6_finish_output+0x10c/0x2a0 [] ip6_output+0x5e/0x178 [] ip6_xmit+0x29a/0x608 [] inet6_csk_xmit+0xe6/0x140 [] __tcp_transmit_skb+0x45c/0xaa8 [] tcp_connect+0x9ce/0xd10 [] tcp_v6_connect+0x4ac/0x5e8 [] __inet_stream_connect+0xd8/0x318 [] inet_stream_connect+0x3e/0x68 [] __sys_connect_file+0x50/0x88 [] __sys_connect+0x96/0xc8 [] __riscv_sys_connect+0x20/0x30 [] do_trap_ecall_u+0x256/0x378 [] handle_exception+0x14a/0x156 Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709 ---[ end trace 0000000000000000 ]---

The bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer is treated as a 32bit value and sign extend to 64bit in epilogue. This behavior is right for most bpf prog types but wrong for struct ops which requires RISC-V ABI.

So let's sign extend struct ops return values according to the function model and RISC-V ABI([0]).

[0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing sign extension for struct ops return values in the BPF subsystem on RISC-V can cause a kernel panic when running the ns_bpf_qdisc selftest.

Vulnerability

In the Linux kernel, a bug in the BPF subsystem for the RISC-V architecture causes a kernel panic when struct ops return values are not properly sign-extended. The issue manifests during the ns_bpf_qdisc selftest, leading to a crash with an 'Unable to handle kernel paging request' error at a virtual address, as shown in the kernel oops report [1].

Exploitation

The vulnerability is triggered by a BPF program that uses struct ops, where the return value is not sign-extended correctly on RISC-V. This can occur when a BPF program attached to a qdisc (queueing discipline) returns a value that is interpreted as a pointer or negative offset, causing the kernel to access an invalid memory address. The attack surface is local, requiring the ability to load and attach a crafted BPF program, which typically requires root privileges or CAP_BPF [1].

Impact

Successful exploitation results in a kernel panic, leading to a denial of service (DoS) on the affected system. The crash trace shows the panic originates in __qdisc_run and propagates through the network stack, ultimately causing the system to become unresponsive [1].

Mitigation

The fix has been applied in the Linux kernel stable tree via commits that properly sign-extend the return values of struct ops on RISC-V. Users should update to a kernel version containing the fix, such as those including commit 918a399501e2 or later [1][2][3].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

3
92751937f12a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
918a399501e2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
fd2e08128944
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.