CVE-2025-38723 in Linux
Summary
by MITRE • 09/04/2025
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: BPF: Fix jump offset calculation in tailcall
The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by
"#define jmp_offset (out_offset - (cur_offset))"
is a negative number, which is wrong. The final generated assembly are as follow.
54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c
Before apply this patch, the follow test case will reveal soft lock issues.
cd tools/testing/selftests/bpf/ ./test_progs --allow=tailcalls/tailcall_bpf2bpf_1
dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/10/2026
This vulnerability affects the Linux kernel's LoongArch architecture implementation of the Berkeley Packet Filter (BPF) subsystem, specifically within the tail call functionality. The issue stems from an incorrect jump offset calculation in the BPF Just-In-Time (JIT) compilation process. The problem occurs during the compilation phase where bpf_int_jit_compile() executes an extra pass that inadvertently skips the initialization of the JIT context. This omission results in the out_offset variable being set to -1 instead of its proper value, causing subsequent calculations to produce incorrect negative jump offsets. The technical flaw manifests in the jmp_offset calculation formula which becomes invalid when out_offset equals -1, leading to malformed assembly code generation.
The operational impact of this vulnerability is severe as it creates a condition that can cause system instability and potential system hangs. When the BPF tail call mechanism is invoked, the incorrect jump offsets generate malformed assembly instructions that can cause the processor to enter an infinite loop or execute incorrect code paths. The specific assembly instructions show problematic negative offsets such as -8, -16, and -28 which would cause the processor to jump backwards to invalid memory locations or create circular execution paths. The system exhibits symptoms of soft lockups with watchdog timer triggering, as demonstrated by the dmesg output showing CPU#2 stuck for 26 seconds, indicating that the kernel became unresponsive due to the faulty code generation.
The vulnerability aligns with CWE-129, which addresses improper validation of array indices, and CWE-128, which covers wrapping or truncation of integer values. From an ATT&CK perspective, this represents a code injection vulnerability that could potentially be exploited to achieve privilege escalation or denial of service. The issue directly impacts the BPF subsystem's JIT compiler functionality, which is used for high-performance packet filtering and network monitoring in kernel space. The fix involves ensuring proper initialization of the JIT context during all compilation passes, particularly the extra pass that was previously skipping critical initialization steps. This vulnerability demonstrates the importance of proper context management in compiler optimizations and highlights how seemingly minor omissions in code generation can lead to catastrophic system failures.
The affected system components include the LoongArch architecture-specific BPF JIT compiler, the BPF tail call implementation, and the kernel's network packet processing subsystem. Testing reveals that the issue can be reproduced using the specific test case tailcall_bpf2bpf_1 within the BPF selftest suite, which validates the problematic behavior under controlled conditions. The patch addresses the root cause by ensuring that the JIT context initialization occurs consistently across all compilation passes, preventing the out_offset from being incorrectly set to -1 and thereby restoring proper jump offset calculation for the BPF tail call mechanism.