CVE-2025-38607 in Linux
Summary
by MITRE • 08/19/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf: handle jset (if a & b ...) as a jump in CFG computation
BPF_JSET is a conditional jump and currently verifier.c:can_jump() does not know about that. This can lead to incorrect live registers and SCC computation.
E.g. in the following example:
1: r0 = 1; 2: r2 = 2; 3: if r1 & 0x7 goto +1; 4: exit; 5: r0 = r2; 6: exit;
W/o this fix insn_successors(3) will return only (4), a jump to (5) would be missed and r2 won't be marked as alive at (3).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/16/2026
The vulnerability identified as CVE-2025-38607 represents a critical flaw in the Linux kernel's eBPF (extended Berkeley Packet Filter) verifier component that affects the control flow graph (CFG) computation process. This issue specifically impacts how the kernel handles BPF_JSET instructions, which are conditional jump operations that test bitwise AND operations between registers and immediate values. The problem lies in the verifier.c module where the can_jump() function fails to recognize BPF_JSET as a valid conditional jump instruction, leading to incorrect analysis of program control flow and register liveness.
The technical implementation of this vulnerability stems from the kernel's inability to properly track register states during CFG construction when processing conditional jump instructions. In the provided example, instruction 3 performs a bitwise AND operation between register r1 and the immediate value 0x7, with a conditional jump to instruction 4 if the result is non-zero. However, due to the missing recognition of BPF_JSET as a conditional jump, the verifier fails to compute all possible execution paths correctly. This results in the insn_successors(3) function returning only the direct jump target at instruction 4, while completely overlooking the alternative execution path that would lead to instruction 5. The consequence is that register r2, which is loaded with the value 2 at instruction 2, is not properly marked as live at instruction 3, creating a false positive in the register liveness analysis.
The operational impact of this vulnerability extends beyond simple register tracking issues, as it fundamentally compromises the security assurances provided by the eBPF verifier's static analysis capabilities. When the verifier incorrectly computes the control flow graph and register liveness, it can lead to memory safety violations, privilege escalation opportunities, and potential code execution exploits. The flaw enables attackers to craft malicious eBPF programs that bypass the verifier's safety checks, potentially allowing unauthorized access to kernel memory regions or execution of arbitrary code with kernel privileges. This vulnerability aligns with CWE-691, which describes inadequate protection of code against unsafe operations, and maps to ATT&CK technique T1059.006 for execution through kernel modules, as it undermines the kernel's ability to validate program behavior.
Mitigation strategies for CVE-2025-38607 require immediate kernel updates that properly implement the BPF_JSET instruction recognition within the can_jump() function of the verifier component. System administrators should prioritize applying the patched kernel version that includes the fix for this CFG computation error, particularly in environments where eBPF programs are actively used for network filtering, system monitoring, or security enforcement. The fix ensures that all conditional jump instructions, including BPF_JSET, are properly accounted for in control flow analysis, thereby restoring accurate register liveness tracking and preventing potential exploitation scenarios. Additionally, organizations should implement monitoring for suspicious eBPF program loading activities and consider restricting eBPF program capabilities through kernel lockdown mechanisms to minimize the attack surface.