{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T15:12:56.425","vulnerabilities":[{"cve":{"id":"CVE-2025-38591","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-19T17:15:36.790","lastModified":"2026-03-17T16:09:47.267","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n    r0 = *(u8 *)(r1 + 169);\n    exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn't match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn->off\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n    verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn't get reported to the mailing list."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Rechazo de acceso más estrecho a campos de puntero ctx. El siguiente programa BPF, simplificado a partir de una reproducción de syzkaller, genera una advertencia del kernel: r0 = *(u8 *)(r1 + 169); exit; Con el campo de puntero sk en el desplazamiento 168 en __sk_buff. Este acceso se detecta como una lectura más estrecha en bpf_skb_is_valid_access porque no coincide con offsetof(struct __sk_buff, sk). Por lo tanto, se permite y posteriormente procede a bpf_convert_ctx_access. Tenga en cuenta que para el caso \"is_narrower_load\" en convert_ctx_accesses(), insn->off está alineado, por lo que cnt puede no ser 0 porque coincide con offsetof(struct __sk_buff, sk) en bpf_convert_ctx_access. Sin embargo, el tamaño objetivo permanece en 0 y el verificador genera una advertencia del kernel: error del verificador: error durante la conversión de acceso a ctx(1). Este parche corrige este error para devolver un error correcto de \"acceso a bpf_context no válido off=X size=Y\" en la instrucción de carga. El mismo problema afecta a varios campos en las estructuras de contexto que permiten acceso restringido. Algunos campos no afectados (para sk_msg, sk_lookup y sockopt) también se modificaron para usar bpf_ctx_range_ptr por consistencia. Tenga en cuenta que este fallo de syzkaller se reportó en el enlace \"Cierres\" a continuación, que solía referirse a un error diferente, corregido en el commit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()\"). Debido a que syzbot confundió de alguna manera los dos errores, el nuevo fallo y la reproducción no se reportaron a la lista de correo."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.16.1","matchCriteriaId":"AB2224FC-84B3-4160-8586-B94DC0B0080B"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/058a0da4f6d916a79b693384111bb80a90d73763","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/33660d44e789edb4f303210c813fc56d56377a90","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7847c4140e06f6e87229faae22cc38525334c156","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/feae34c992eb7191862fb1594c704fbbf650fef8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}