CVE-2025-68208
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: account for current allocated stack depth in widen_imprecise_scalars()
The usage pattern for widen_imprecise_scalars() looks as follows:
prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st);
Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case:
def main(): for i in 1..2: foo(i) // same callsite, differnt param
def foo(i): if i == 1: use 128 bytes of stack iterator based loop
Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a BPF verifier out-of-bounds stack access in widen_imprecise_scalars() can occur when ancestor and current states have different allocated stack depths.
Vulnerability
Analysis
The vulnerability is a bug in the Linux kernel's BPF verifier for BPF (Berkeley Packet Filter) programs. The function widen_imprecise_scalars() is called during state comparison, where it accesses the stack of a previous state (prev_st) and a newly queued state (queued_st). The code assumed both states have the same allocated stack depth, but this is not guaranteed. For example, when a function is called with different parameters that lead to different stack usage (e.g., one path uses 128 bytes, another uses less), the ancestor state may have a larger allocated stack than the current state. This mismatch can cause widen_imprecise_scalars() to read or write beyond the bounds of the current state's stack array, leading to an out-of-bounds access [1][2].
Exploitation
To exploit this, an attacker would need to craft a BPF program that triggers the specific state exploration pattern: a loop or conditional that causes the verifier to compare states with differing stack depths. The attacker must have the ability to load and execute BPF programs, which typically requires privileged access (CAP_BPF or root) on the system. No user interaction is required beyond loading the malicious BPF program. The bug is in the kernel's verifier, which runs during program load, so exploitation occurs at load time.
Impact
An out-of-bounds stack access in the kernel can lead to memory corruption, potentially allowing an attacker to crash the system (denial of service) or, in more severe cases, escalate privileges by corrupting kernel memory. The CVSS score of 7.8 (High) reflects the potential for high impact on confidentiality, integrity, and availability, though exploitation complexity is high due to the need for precise BPF program crafting.
Mitigation
The vulnerability is fixed in the Linux kernel stable releases. Patches are available in commits [1] and [2] (referenced in the kernel git tree). Users should update their kernel to a version containing the fix. No workaround is available; the only mitigation is to apply the kernel patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.