CVE-2025-40078 in Linuxinfo

Summary

by MITRE • 10/28/2025

In the Linux kernel, the following vulnerability has been resolved:

bpf: Explicitly check accesses to bpf_sock_addr

Syzkaller found a kernel warning on the following sock_addr program:

0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit

which triggers:

verifier bug: error during ctx access conversion (0)

This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access.

This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access.

I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability CVE-2025-40078 represents a critical flaw in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem that affects how kernel memory accesses are validated during BPF program execution. This issue specifically targets the bpf_sock_addr context structure, which is used by BPF programs to access socket address information. The vulnerability arises from an insufficient validation mechanism that fails to properly reject accesses to implicit padding bytes within the socket address structure, creating a potential vector for privilege escalation or information disclosure attacks.

The technical flaw manifests when a BPF program attempts to access memory offsets that correspond to padding bytes within the bpf_sock_addr structure. In the reported case, a program accessing offset 60 triggers a kernel warning with the error message "verifier bug: error during ctx access conversion (0)". This occurs because offset 60 maps to 4 bytes of implicit padding located immediately after the msg_src_ip4 field in the structure. The sock_addr_is_valid_access function fails to properly validate these padding accesses, allowing them to proceed to the verifier stage where they subsequently fail during context access conversion. This represents a classic case of insufficient input validation and improper access control within kernel space memory management.

The operational impact of this vulnerability extends beyond simple execution failures, as it demonstrates a fundamental weakness in the kernel's BPF verification process that could potentially be exploited by malicious actors to bypass security controls. When BPF programs access padding bytes in socket address structures, the kernel's verifier mechanism encounters undefined behavior during context conversion, which could theoretically be leveraged to craft more sophisticated attacks. The vulnerability affects systems running Linux kernels that implement BPF socket address functionality, particularly those utilizing BPF programs that interact with network socket contexts. This flaw underscores the importance of comprehensive validation of all memory access patterns within kernel space, as even seemingly benign padding bytes can represent security risks when not properly accounted for in access control mechanisms.

The fix implemented in this patch addresses the core issue by explicitly checking all fields within the bpf_sock_addr structure during the sock_addr_is_valid_access validation process. This approach ensures that padding bytes are properly rejected during access validation, preventing them from reaching the verifier stage where they would otherwise cause failures. The patch follows established security principles by implementing defense-in-depth measures that validate all potential access paths within kernel structures. This vulnerability aligns with CWE-121, which covers stack-based buffer overflow conditions, and represents a specific case where improper validation of memory access patterns creates a potential security weakness. The fix also demonstrates adherence to the principle of least privilege by ensuring that BPF programs cannot access memory regions that are not explicitly defined as valid for their intended use within the socket address context.

The resolution of this vulnerability reinforces important security practices in kernel development, particularly around the validation of memory access patterns in complex data structures. The patch's approach of explicitly checking all fields in the bpf_sock_addr structure provides a model for similar validation scenarios in other kernel subsystems. This fix also highlights the importance of comprehensive testing frameworks like Syzkaller in identifying subtle kernel vulnerabilities that might otherwise remain undetected. The subsequent addition of new tests for properly handled padding cases demonstrates the value of maintaining robust test coverage for edge cases in kernel security validation. From an ATT&CK perspective, this vulnerability relates to privilege escalation techniques and kernel memory corruption, making it relevant to the T1068 and T1547.001 attack patterns that focus on leveraging kernel vulnerabilities for elevated privileges and system access. The fix ensures that BPF programs cannot exploit padding bytes to bypass access controls, maintaining the integrity of kernel memory management and preventing potential exploitation by malicious actors.

Responsible

Linux

Reservation

04/16/2025

Disclosure

10/28/2025

Moderation

accepted

CPE

ready

EPSS

0.00197

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!