Wind River Support Network

HomeDefectsLIN1021-17168
Acknowledged

LIN1021-17168 : Security Advisory - linux - CVE-2025-38502

Created: Aug 17, 2025    Updated: Jan 26, 2026
Resolved Date: Jan 25, 2026
Found In Version: 10.21.20.1
Severity: Standard
Applicable for: Wind River Linux LTS 21
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix oob access in cgroup local storage

Lonial reported that an out-of-bounds access in cgroup local storage
can be crafted via tail calls. Given two programs each utilizing a
cgroup local storage with a different value size, and one program
doing a tail call into the other. The verifier will validate each of
the indivial programs just fine. However, in the runtime context
the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
BPF program as well as any cgroup local storage flavor the program
uses. Helpers such as bpf_get_local_storage() pick this up from the
runtime context:

 ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
 storage = ctx->prog_item->cgroup_storage[stype];

 if (stype == BPF_CGROUP_STORAGE_SHARED)
 ptr = &READ_ONCE(storage->buf)>data[0];
 else
 ptr = this_cpu_ptr(storage>percpu_buf);

For the second program which was called from the originally attached
one, this means bpf_get_local_storage() will pick up the former
program's map, not its own. With mismatching sizes, this can result
in an unintended out-of-bounds access.

To fix this issue, we need to extend bpf_map_owner with an array of
storage_cookie[] to match on i) the exact maps from the original
program if the second program was using bpf_get_local_storage(), or
ii) allow the tail call combination if the second program was not
using any of the cgroup local storage maps.

========Wind River Notice========

Customers can use kernel.unprivileged_bpf_disabled sysctl to prevent unprivileged users from being able to use eBPF. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.

Inspect kernel.unprivileged_bpf_disabled sysctl with the command:

cat /proc/sys/kernel/unprivileged_bpf_disabled
The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.

echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled

For more details, please refer to Linux kernel official document:
[https://docs.kernel.org/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled]

CVEs

  • Linkedin
  • Facebook
  • Twitter
  • Youtube