CVE-2025-40143
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: dont report verifier bug for missing bpf_scc_visit on speculative path
Syzbot generated a program that triggers a verifier_bug() call in maybe_exit_scc(). maybe_exit_scc() assumes that, when called for a state with insn_idx in some SCC, there should be an instance of struct bpf_scc_visit allocated for that SCC. Turns out the assumption does not hold for speculative execution paths. See example in the next patch.
maybe_scc_exit() is called from update_branch_counts() for states that reach branch count of zero, meaning that path exploration for a particular path is finished. Path exploration can finish in one of three ways: a. Verification error is found. In this case, update_branch_counts() is called only for non-speculative paths. b. Top level BPF_EXIT is reached. Such instructions are never a part of an SCC, so compute_scc_callchain() in maybe_scc_exit() will return false, and maybe_scc_exit() will return early. c. A checkpoint is reached and matched. Checkpoints are created by is_state_visited(), which calls maybe_enter_scc(), which allocates bpf_scc_visit instances for checkpoints within SCCs.
Hence, for non-speculative symbolic execution paths, the assumption still holds: if maybe_scc_exit() is called for a state within an SCC, bpf_scc_visit instance must exist.
This patch removes the verifier_bug() call for speculative paths.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A verifier bug triggered by a missing bpf_scc_visit on a speculative path in the Linux kernel's BPF subsystem could cause a denial of service. The fix removes the incorrect verifier_bug() call.
The Linux kernel's BPF verifier contained a flaw in maybe_exit_scc(), a function that manages state when path exploration finishes for a strongly connected component (SCC). The function assumed that a struct bpf_scc_visit instance would always be allocated for any SCC state being examined. However, this assumption failed for speculative execution paths, leading to a verifier_bug() call that triggers a kernel panic or warning, effectively a denial-of-service condition.
The vulnerability is triggered when the verifier explores a speculative path (e.g., due to a branch misprediction) and a state reaches a branch count of zero. In such cases, maybe_scc_exit() is invoked, but the corresponding bpf_scc_visit may not have been allocated because maybe_enter_scc() only allocates it for checkpoints on non-speculative paths. Attackers with the ability to load crafted BPF programs (requiring CAP_BPF or root privileges) could exploit this to crash the system.
A successful exploit causes the verifier to call verifier_bug(), which typically results in a kernel BUG or warning, leading to a system crash or hang. No privilege escalation or data leak is implied by the available sources; the primary impact is denial of service.
The fix, included in Linux kernel stable tree commit [1], removes the verifier_bug() call for speculative paths, allowing the verifier to handle the missing bpf_scc_visit gracefully instead of panicking. Users should apply the latest stable kernel updates to mitigate this issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
23861e7c4324aa3c73d629ea1Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.