{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T12:22:06.042","vulnerabilities":[{"cve":{"id":"CVE-2025-40079","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-28T12:15:42.480","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv, bpf: Sign extend struct ops return values properly\n\nThe ns_bpf_qdisc selftest triggers a kernel panic:\n\n    Unable to handle kernel paging request at virtual address ffffffffa38dbf58\n    Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000\n    [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000\n    Oops [#1]\n    Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)]\n    CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G        W  OE       6.17.0-rc1-g2465bb83e0b4 #1 NONE\n    Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n    Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024\n    epc : __qdisc_run+0x82/0x6f0\n     ra : __qdisc_run+0x6e/0x6f0\n    epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550\n     gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180\n     t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0\n     s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001\n     a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000\n     a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049\n     s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000\n     s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0\n     s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000\n     s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000\n     t5 : 0000000000000000 t6 : ff60000093a6a8b6\n    status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d\n    [<ffffffff80bd5c7a>] __qdisc_run+0x82/0x6f0\n    [<ffffffff80b6fe58>] __dev_queue_xmit+0x4c0/0x1128\n    [<ffffffff80b80ae0>] neigh_resolve_output+0xd0/0x170\n    [<ffffffff80d2daf6>] ip6_finish_output2+0x226/0x6c8\n    [<ffffffff80d31254>] ip6_finish_output+0x10c/0x2a0\n    [<ffffffff80d31446>] ip6_output+0x5e/0x178\n    [<ffffffff80d2e232>] ip6_xmit+0x29a/0x608\n    [<ffffffff80d6f4c6>] inet6_csk_xmit+0xe6/0x140\n    [<ffffffff80c985e4>] __tcp_transmit_skb+0x45c/0xaa8\n    [<ffffffff80c995fe>] tcp_connect+0x9ce/0xd10\n    [<ffffffff80d66524>] tcp_v6_connect+0x4ac/0x5e8\n    [<ffffffff80cc19b8>] __inet_stream_connect+0xd8/0x318\n    [<ffffffff80cc1c36>] inet_stream_connect+0x3e/0x68\n    [<ffffffff80b42b20>] __sys_connect_file+0x50/0x88\n    [<ffffffff80b42bee>] __sys_connect+0x96/0xc8\n    [<ffffffff80b42c40>] __riscv_sys_connect+0x20/0x30\n    [<ffffffff80e5bcae>] do_trap_ecall_u+0x256/0x378\n    [<ffffffff80e69af2>] handle_exception+0x14a/0x156\n    Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709\n    ---[ end trace 0000000000000000 ]---\n\nThe bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer\nis treated as a 32bit value and sign extend to 64bit in epilogue. This\nbehavior is right for most bpf prog types but wrong for struct ops which\nrequires RISC-V ABI.\n\nSo let's sign extend struct ops return values according to the function\nmodel and RISC-V ABI([0]).\n\n  [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/918a399501e28e0cc36dbd1fcfb4208f8aa1e4d1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/92751937f12a7d34ad492577a251c94a55e97e72","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fd2e08128944a7679e753f920e9eda72057e427c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}]}