Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program. 0: call bpf_get_netns_cookie 1: if r0 == 0 goto <exit> 2: if r0 & Oxffffffff goto <exit> The issue is on the path where we fall through both jumps. That path is unreachable at runtime: after insn 1, we know r0 != 0, but with the sign extension on the jset, we would only fallthrough insn 2 if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to figure this out, so the verifier walks all branches. The verifier then refines the register bounds using the second condition and we end up with inconsistent bounds on this unreachable path: 1: if r0 == 0 goto <exit> r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) 2: if r0 & 0xffffffff goto <exit> r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0) Improving the range refinement for JSET to cover all cases is tricky. We also don't expect many users to rely on JSET given LLVM doesn't generate those instructions. So instead of improving the range refinement for JSETs, Eduard suggested we forget the ranges whenever we're narrowing tnums after a JSET. This patch implements that approach.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | < 6.12.43 |
References
- https://git.kernel.org/stable/c/0643aa2468192a4d81326e8e76543854870b1ee2
- https://git.kernel.org/stable/c/22191359f8454b0be082c3b126f86bcbea0f1318
- https://git.kernel.org/stable/c/2fd0c26bacd90ef26522bd3169000a4715bf151fPatch
- https://git.kernel.org/stable/c/591c788d16046edb0220800bf1819554af5853ce
- https://git.kernel.org/stable/c/6279846b9b2532e1b04559ef8bd0dec049f29383Patch
- https://git.kernel.org/stable/c/80a6b11862a7cfdf691e8f9faee89cfea219f098Patch
- https://git.kernel.org/stable/c/c29dd8336236a4deb75596b52d2dd16ccc4a380d
- https://git.kernel.org/stable/c/f01e06930444cab289a8783017af9b64255bd103Patch
FAQ
What is CVE-2025-39748?
CVE-2025-39748 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the follow...
How severe is CVE-2025-39748?
CVE-2025-39748 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-39748?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.