CVE-2025-68744

Root

Cause

When updating [lru_,]percpu_hash maps that support BPF_KPTR_{REF,PERCPU} fields, the kernel's pcpu_copy_value() function calls copy_map_value[,_long]() but does not invoke bpf_obj_free_fields() to release the previously stored BPF pointer fields. This omission means that old values' the memory referenced by those special fields is not freed during the update, creating a memory leak that persists until the entire map is freed.

Exploitation

Prerequisites

An attacker must have the ability to trigger map updates on a percpu BPF map that contains kptr fields. This typically requires local access to execute BPF programs with CAP_BPF or equivalent privileges, as BPF operations are restricted. No network-based remote exploitation is described.

Impact

A local attacker who can repeatedly update such a BPF map can cause a gradual depletion of kernel memory by preventing the release of BPF kptr references. This memory leak could lead to denial-of-service conditions on the affected system, degrading performance or eventually causing the system to become unresponsive.

Mitigation

The fix, introduced in Linux kernel commit 4a03d69cece1 (and also available via commit 3bf1378747e2e5), adds the missing bpf_obj_free_fields() call after the copy operation in pcpu_copy_value(). Users should apply the latest stable kernel update containing this patch. No known workaround is documented [1][2].