{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T19:26:42.148","vulnerabilities":[{"cve":{"id":"CVE-2025-40143","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-11-12T11:15:44.130","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: dont report verifier bug for missing bpf_scc_visit on speculative path\n\nSyzbot generated a program that triggers a verifier_bug() call in\nmaybe_exit_scc(). maybe_exit_scc() assumes that, when called for a\nstate with insn_idx in some SCC, there should be an instance of struct\nbpf_scc_visit allocated for that SCC. Turns out the assumption does\nnot hold for speculative execution paths. See example in the next\npatch.\n\nmaybe_scc_exit() is called from update_branch_counts() for states that\nreach branch count of zero, meaning that path exploration for a\nparticular path is finished. Path exploration can finish in one of\nthree ways:\na. Verification error is found. In this case, update_branch_counts()\n   is called only for non-speculative paths.\nb. Top level BPF_EXIT is reached. Such instructions are never a part of\n   an SCC, so compute_scc_callchain() in maybe_scc_exit() will return\n   false, and maybe_scc_exit() will return early.\nc. A checkpoint is reached and matched. Checkpoints are created by\n   is_state_visited(), which calls maybe_enter_scc(), which allocates\n   bpf_scc_visit instances for checkpoints within SCCs.\n\nHence, for non-speculative symbolic execution paths, the assumption\nstill holds: if maybe_scc_exit() is called for a state within an SCC,\nbpf_scc_visit instance must exist.\n\nThis patch removes the verifier_bug() call for speculative paths."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/3861e7c4324aa20a632fb74eb3904114f6afdb57","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a3c73d629ea1373af3c0c954d41fd1af555492e3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}]}