CVE-2025-40078
Published: Oct 28, 2025
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 1cedee13d25ab118d325f95588c1a084e9317229 - < de44cdc50d2dce8718cb57deddf9cf1be9a7759faffected 1cedee13d25ab118d325f95588c1a084e9317229 - < 76e04bbb4296fb6eac084dbfc27e02ccc744db3eaffected 1cedee13d25ab118d325f95588c1a084e9317229 - < 6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ecaffected 1cedee13d25ab118d325f95588c1a084e9317229 - < 4f00858cd9bbbdf67159e28b85a8ca9e77c83622affected 1cedee13d25ab118d325f95588c1a084e9317229 - < cdeafacb4f9ff261a96baef519e29480fd7b1019+3 more versions |
Linux | Linux | affected 4.18unaffected 0 - < 4.18unaffected 5.4.301 - <= 5.4.*unaffected 5.10.246 - <= 5.10.*unaffected 5.15.195 - <= 5.15.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now