CVE-2025-38586

In the ARM64 BPF JIT when prog->aux->exceptionboundary is set for a BPF program, findusedcalleeregs() is not called because for a program acting as exception boundary, all callee saved registers are saved. findusedcallee_regs() sets ctx->fp_used = true; when it sees FP being used in any of the instructions.

For programs acting as exception boundary, ctx->fp_used remains false even if frame pointer is used by the program and therefore, FP is not set-up for such programs in the prologue. This can cause the kernel to crash due to a pagefault.

Fix it by setting ctx->fp_used = true for exception boundary programs as fp is always saved in such programs.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2025/38xxx/CVE-2025-38586.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff

Fixed

0dbef493cae7d451f740558665893c000adb2321

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff

Fixed

e23184725dbb72d5d02940222eee36dbba2aa422

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff

Fixed

1ce30231e0a2c8c361ee5f8f7f265fc17130adce

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff

Fixed

b114fcee766d5101eada1aca7bb5fd0a86c89b35

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.12.0

Fixed

6.12.42

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.10

Type: ECOSYSTEM
Events: Introduced

6.16.0

Fixed

6.16.1