CVE-2025-68378 in Linuxinfo

Summary

by MITRE • 12/24/2025

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stackmap overflow check in __bpf_get_stackid()

Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() when copying stack trace data. The issue occurs when the perf trace contains more stack entries than the stack map bucket can hold, leading to an out-of-bounds write in the bucket's data array.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/24/2026

The vulnerability CVE-2025-68378 represents a critical stack buffer overflow flaw in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically within the __bpf_get_stackid() function. This issue manifests as a slab-out-of-bounds write condition that arises during the processing of performance trace data within BPF programs. The vulnerability is particularly concerning because it operates at the kernel level, where such flaws can lead to privilege escalation, system instability, or potential exploitation for arbitrary code execution. The flaw was identified through automated fuzzing conducted by the Syzkaller testing framework, which is widely recognized for its effectiveness in discovering kernel-level vulnerabilities through systematic input generation and execution monitoring.

The technical root cause of this vulnerability lies in inadequate bounds checking within the stackmap overflow handling mechanism of the BPF subsystem. When a perf trace contains a stack trace with more entries than can be accommodated within a stack map bucket's predefined data array, the __bpf_get_stackid() function fails to properly validate the number of stack entries against the bucket capacity. This results in a direct write operation beyond the allocated memory boundaries of the bucket's data array, creating a classic buffer overflow condition. The vulnerability specifically affects the stackmap implementation which is designed to store and manage stack traces for BPF programs, and the flaw occurs during the data copying process when the system attempts to transfer stack trace information into the designated storage structure. This type of issue falls under CWE-121, which categorizes buffer overflow conditions, and more specifically aligns with CWE-787, which addresses out-of-bounds write vulnerabilities.

The operational impact of CVE-2025-68378 extends beyond simple memory corruption, as it represents a potential pathway for privilege escalation attacks within the Linux kernel environment. Attackers could potentially leverage this vulnerability to execute arbitrary code with kernel-level privileges, effectively compromising the entire system. The vulnerability's exploitation would likely require a BPF program to be loaded and executed with sufficient privileges to trigger the problematic code path, though the exact attack vectors would depend on the specific system configuration and available BPF capabilities. Given that BPF is widely used for network monitoring, security policy enforcement, and system tracing, this vulnerability could affect systems running various kernel versions where the flawed code path remains active. The vulnerability's severity is compounded by the fact that it can be triggered through legitimate BPF operations, making detection and prevention challenging in environments where BPF programs are regularly used.

Mitigation strategies for CVE-2025-68378 should focus on immediate kernel updates and patches provided by the Linux kernel maintainers, as this vulnerability has been resolved in recent kernel versions. System administrators should prioritize applying the latest security patches to all affected systems, particularly those running kernel versions that include the vulnerable BPF stackmap implementation. Additionally, implementing proper BPF program validation and monitoring can help reduce the risk of exploitation by preventing untrusted or malicious BPF programs from being loaded into the system. Organizations should also consider restricting BPF program capabilities through kernel lockdown mechanisms and access controls to limit the potential attack surface. The vulnerability's resolution through kernel patches demonstrates the importance of continuous security auditing and the effectiveness of automated testing frameworks like Syzkaller in identifying critical kernel-level issues before they can be exploited in production environments. This vulnerability serves as a reminder of the critical need for robust input validation and bounds checking in kernel space operations, particularly within complex subsystems like BPF that handle diverse data types and structures.

Responsible

Linux

Reservation

12/16/2025

Disclosure

12/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00157

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!