CVE-2025-68742
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix invalid prog->stats access when update_effective_progs fails
Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows:
__cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog
---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end---
static_branch_dec(&cgroup_bpf_enabled_key[atype])
The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access.
To fix it, skip updating stats when stats is NULL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A BPF use-after-free in the Linux kernel's cgroup BPF detach path, triggered by fault injection, leads to invalid memory access in softirq.
Vulnerability
Analysis
CVE-2025-68742 is a BPF subsystem flaw in the Linux kernel, discovered via syzkaller fuzzing with fault injection. The root cause lies in the __cgroup_bpf_detach function. When update_effective_progs fails due to an injected memory allocation fault in bpf_prog_array_alloc, the error handling in purge_effective_progs replaces the original program pointer with dummy_bpf_prog.prog. This dummy program has a NULL stats pointer. A subsequent softirq (e.g., triggered by a network packet) running __cgroup_bpf_run_filter_skb attempts to access prog->stats, causing an invalid memory access and potential kernel crash [1].
Exploitation
An attacker with the ability to trigger capability (such as attaching and detaching BPF programs in cgroups) could combine the detach operation with a fault injection technique (e.g., via a privileged mechanism like fail_function) to reach this race condition. The vulnerability is not directly exploitable without local access to the kernel and some control over BPF program lifecycle. The race window between the detach path setting the dummy program and the softirq execution is necessary for the invalid access to occur [1].
Impact
Successful exploitation leads to a denial-of-service (DoS) condition via an invalid memory access, causing a kernel oops or panic. The CVSS v3.1 score is 5.5 (Medium), indicating local low-complexity exploitation with high availability impact [1], [2], [3].
Mitigation
The fix is merged into the stable kernel trees. It adds a NULL check for prog->stats before accessing it in the stats update path, preventing the use-after-free. Administrators should apply the latest kernel patches (commits referenced below) to their distributions [1], [2], [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804bnvd
- git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97nvd
- git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41nvd
- git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbcnvd
- git.kernel.org/stable/c/93d1964773ff513c9bd530f7686d3e48b786fa6bnvd
- git.kernel.org/stable/c/bf2c990b012100610c0f1ec5c4ea434da2d080c2nvd
News mentions
0No linked articles in our index yet.