CVE-2025-40183

In the Linux kernel, CVE-2025-40183 is a memory leak vulnerability in the BPF infrastructure, specifically within the __bpf_redirect_neigh_v4 and __bpf_redirect_neigh_v6 helper functions. The root cause is a failure to properly release a metadata_dst object that is attached to an skb via a fake dst entry. When VXLAN tunnels are used in collect metadata mode, they allocate a metadata_dst and attach it to the packet; the BPF redirect helpers, however, overwrite the dst entry using skb_dst_set() without first dropping the existing one, leading to a persistent leak of the metadata_dst object.

The vulnerability is exploitable by triggering BPF programs that use the bpf_redirect_neigh() helper on VXLAN-decapsulated packets. The attack surface involves systems with eBPF programs (such as those in Cilium's egress gateway feature) that redirect traffic through tunnels in collect metadata mode. No authentication is needed to trigger the path itself, but the attacker must be able to control or influence network traffic that is processed by such BPF programs, typically from a compromised pod or from outside the cluster boundary.

Over time, this leak causes the kernel's kmalloc-256 slab to continuously grow, as each redirected packet allocates a metadata_dst that is never freed. This leads to kernel memory exhaustion, potentially causing system instability or denial-of-service conditions. The kernel may eventually trigger out-of-memory (OOM) killer actions, impacting all processes on the system.

The vulnerability has been fixed by adding an explicit skb_dst_drop() call before skb_dst_set() in the bpf_redirect_neigh helpers [1][3]. It affects kernel versions including but not limited to those with commit 057764172fcc [1] and 23f3770e1a53 [2]. Users should update to a corrected kernel version; no workaround is known other than avoiding use of the affected BPF helpers or ensuring the patch is applied.