CVE-2025-40123
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Enforce expected_attach_type for tailcall compatibility
Yinhao et al. recently reported:
Our fuzzer tool discovered an uninitialized pointer issue in the bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem. This leads to a NULL pointer dereference when a BPF program attempts to deference the txq member of struct xdp_buff object.
The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the entry point for bpf_prog_test_run_xdp() and its expected_attach_type can neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot of a tailcall map it owns. progB's expected_attach_type must be BPF_XDP_DEVMAP to pass xdp_is_valid_access() validation. The program returns struct xdp_md's egress_ifindex, and the latter is only allowed to be accessed under mentioned expected_attach_type. progB is then inserted into the tailcall which progA calls.
The underlying issue goes beyond XDP though. Another example are programs of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well as sock_addr_func_proto() have different logic depending on the programs' expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME should not be allowed doing a tailcall into a program which calls bpf_bind() out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.
In short, specifying expected_attach_type allows to open up additional functionality or restrictions beyond what the basic bpf_prog_type enables. The use of tailcalls must not violate these constraints. Fix it by enforcing expected_attach_type in __bpf_prog_map_compatible().
Note that we only enforce this for tailcall maps, but not for BPF devmaps or cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and cpu_map_bpf_prog_run*() which set up a new environment / context and therefore these situations are not prone to this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel BPF tailcall fails to enforce expected_attach_type, enabling NULL pointer dereference or unauthorized operations.
Vulnerability
The vulnerability resides in the Linux kernel's BPF subsystem, specifically in how tailcall maps handle program compatibility. The __bpf_prog_map_compatible() function does not verify the expected_attach_type of BPF programs when inserting them into a tailcall map. This allows a program with one expected_attach_type to tailcall into another program with a different expected_attach_type, bypassing the type-specific access controls. The issue was initially discovered through a NULL pointer dereference in bpf_prog_test_run_xdp() when a program with an incompatible attach type accessed txq member of xdp_buff.
Exploitation
An attacker with the ability to load BPF programs and create tailcall maps can exploit this flaw. For example, two XDP programs progA and progB can be crafted: progA as an entry point with a generic XDP attach type, and progB with BPF_XDP_DEVMAP attach type (which allows accessing egress_ifindex). progA then tailcalls into progB from its own tailcall map. Due to the missing check, progB executes with the context of the original entry program, potentially dereferencing invalid pointers. The same principle applies to other program types like CGROUP_SOCK_ADDR, where a program attached to BPF_CGROUP_INET4_GETPEERNAME could tailcall into one that uses bpf_bind(), which is only allowed for BPF_CGROUP_INET4_CONNECT.
Impact
Successful exploitation can lead to a denial of service (system crash due to NULL pointer dereference) or, in more severe cases, privilege escalation. By bypassing the expected_attach_type constraints, an attacker may gain access to sensitive kernel operations or data structures that should be restricted to specific attach types. The vulnerability does not require physical access but does require the ability to load and attach BPF programs, which typically needs root or CAP_BPF.
Mitigation
The kernel developers have addressed the issue by enforcing expected_attach_type checks in __bpf_prog_map_compatible() for tailcall maps. The fix is included in the Linux kernel stable tree. Users should apply the latest stable kernel updates to mitigate the vulnerability. The fix does not apply to devmaps or cpumaps, as those programs operate in a different context and are not susceptible to this issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
5c1ad19b5d8e2a99de19128ae08cb3dc9d2b4f856c598080b4540aed51b12Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32nvd
- git.kernel.org/stable/c/4540aed51b12bc13364149bf95f6ecef013197c0nvd
- git.kernel.org/stable/c/a99de19128aec0913f3d529f529fbbff5edfaff8nvd
- git.kernel.org/stable/c/c1ad19b5d8e23123503dcaf2d4342e1b90b923adnvd
- git.kernel.org/stable/c/f856c598080ba7ce1252867b8ecd6ad5bdaf9a6anvd
News mentions
0No linked articles in our index yet.