CVE-2025-38640 in Linux
Summary
by MITRE • 08/22/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf: Disable migration in nf_hook_run_bpf().
syzbot reported that the netfilter bpf prog can be called without migration disabled in xmit path.
Then the assertion in __bpf_prog_run() fails, triggering the splat below. [0]
Let's use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf().
[0]:
BUG: assuming non migratable context at ./include/linux/filter.h:703 in_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session 3 locks held by sshd-session/5829: #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline]
#0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395
#1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470
#2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241
CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 __cant_migrate kernel/sched/core.c:8860 [inline]
__cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834 __bpf_prog_run include/linux/filter.h:703 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623 nf_hook+0x370/0x680 include/linux/netfilter.h:272 NF_HOOK_COND include/linux/netfilter.h:305 [inline]
ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433 dst_output include/net/dst.h:459 [inline]
ip_local_out net/ipv4/ip_output.c:129 [inline]
__ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527 __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479 tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline]
tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838 __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021 tcp_push+0x225/0x700 net/ipv4/tcp.c:759 tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359 tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396 inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
sock_write_iter+0x4aa/0x5b0 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x6c7/0x1150 fs/read_write.c:686 ksys_write+0x1f8/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe7d365d407 Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP:
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/28/2026
The vulnerability CVE-2025-38640 resides within the Linux kernel's netfilter framework, specifically in the handling of BPF (Berkeley Packet Filter) programs during network packet transmission. The issue arises from the nf_hook_run_bpf() function which is responsible for executing BPF programs attached to netfilter hooks. When a BPF program is invoked in the xmit path without proper migration disabling, it leads to a critical failure in the __bpf_prog_run() function. This function contains an assertion that assumes a non-migratable context, but the current execution context does not meet this requirement, resulting in a kernel panic or system crash.
The technical flaw manifests when the kernel attempts to run a BPF program in a context where CPU migration is not disabled, violating the assumptions made by the BPF execution engine. The error trace shows that the system is in a state where migration is enabled, yet the BPF execution code requires a non-migratable context to ensure proper execution semantics. This misalignment causes the kernel to trigger a BUG assertion at ./include/linux/filter.h:703, indicating that it cannot proceed with the execution as expected. The stack trace reveals that the issue occurs during TCP packet transmission, specifically in the ip_output path, where the BPF program is executed as part of the netfilter hook chain.
The operational impact of this vulnerability is significant as it can lead to system instability and potential denial of service conditions. When triggered, the kernel panic prevents normal network operations and can cause the entire system to become unresponsive. The vulnerability is particularly concerning because it occurs during routine network operations such as TCP packet transmission, making it exploitable through network-based attacks. Attackers could potentially cause system crashes by crafting specific network traffic that triggers the vulnerable code path. This vulnerability affects systems running Linux kernel versions where the netfilter BPF functionality is enabled and actively used for packet filtering or manipulation.
The mitigation strategy involves modifying the nf_hook_run_bpf() function to use bpf_prog_run_pin_on_cpu() instead of the standard BPF execution mechanism. This change ensures that when BPF programs are executed in the network transmit path, the execution is pinned to the current CPU and migration is properly disabled. This approach aligns with the kernel's requirement that BPF programs must execute in a non-migratable context to maintain proper execution semantics and prevent race conditions. The fix follows established kernel practices for handling BPF execution in contexts where CPU migration could interfere with program execution. This vulnerability is classified under CWE-665: Improper Initialization and relates to ATT&CK technique T1489: Service Stop, as it can cause system instability and denial of service through kernel panics. The fix ensures that BPF programs execute in a controlled environment that prevents the conditions leading to the assertion failure, thereby maintaining system stability during network operations.