CVE-2025-38640

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-38640

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38640.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-38640

Downstream

BELL-CVE-2025-38640

DEBIAN-CVE-2025-38640

UBUNTU-CVE-2025-38640

Related

Published

2025-08-22T16:00:46Z

Modified

2025-10-10T16:22:57.441708Z

Summary

bpf: Disable migration in nf_hook_run_bpf().

Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Disable migration in nfhookrun_bpf().

syzbot reported that the netfilter bpf prog can be called without migration disabled in xmit path.

Then the assertion in _bpfprog_run() fails, triggering the splat below. [0]

Let's use bpfprogrunpinoncpu() in nfhookrunbpf().

inatomic(): 0, irqsdisabled(): 0, migrationdisabled() 0 pid: 5829, name: sshd-session 3 locks held by sshd-session/5829: #0: ffff88807b4e4218 (sklock-AFINET){+.+.}-{0:0}, at: locksock include/net/sock.h:1667 [inline] #0: ffff88807b4e4218 (sklock-AFINET){+.+.}-{0:0}, at: tcpsendmsg+0x20/0x50 net/ipv4/tcp.c:1395 #1: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: rculockacquire include/linux/rcupdate.h:331 [inline] #1: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: rcureadlock include/linux/rcupdate.h:841 [inline] #1: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: _ipqueuexmit+0x69/0x26c0 net/ipv4/ipoutput.c:470 #2: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: rculockacquire include/linux/rcupdate.h:331 [inline] #2: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: rcureadlock include/linux/rcupdate.h:841 [inline] #2: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: nfhook+0xb2/0x680 include/linux/netfilter.h:241 CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x16c/0x1f0 lib/dumpstack.c:120 _cantmigrate kernel/sched/core.c:8860 [inline] _cantmigrate+0x1c7/0x250 kernel/sched/core.c:8834 _bpfprogrun include/linux/filter.h:703 [inline] bpfprogrun include/linux/filter.h:725 [inline] nfhookrunbpf+0x83/0x1e0 net/netfilter/nfbpflink.c:20 nfhookentryhookfn include/linux/netfilter.h:157 [inline] nfhookslow+0xbb/0x200 net/netfilter/core.c:623 nfhook+0x370/0x680 include/linux/netfilter.h:272 NFHOOKCOND include/linux/netfilter.h:305 [inline] ipoutput+0x1bc/0x2a0 net/ipv4/ipoutput.c:433 dstoutput include/net/dst.h:459 [inline] iplocalout net/ipv4/ipoutput.c:129 [inline] _ipqueuexmit+0x1d7d/0x26c0 net/ipv4/ipoutput.c:527 _tcptransmitskb+0x2686/0x3e90 net/ipv4/tcpoutput.c:1479 tcptransmitskb net/ipv4/tcpoutput.c:1497 [inline] tcpwritexmit+0x1274/0x84e0 net/ipv4/tcpoutput.c:2838 _tcppushpendingframes+0xaf/0x390 net/ipv4/tcpoutput.c:3021 tcppush+0x225/0x700 net/ipv4/tcp.c:759 tcpsendmsglocked+0x1870/0x42b0 net/ipv4/tcp.c:1359 tcpsendmsg+0x2e/0x50 net/ipv4/tcp.c:1396 inetsendmsg+0xb9/0x140 net/ipv4/afinet.c:851 socksendmsgnosec net/socket.c:712 [inline] _socksendmsg net/socket.c:727 [inline] sockwriteiter+0x4aa/0x5b0 net/socket.c:1131 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x6c7/0x1150 fs/readwrite.c:686 ksyswrite+0x1f8/0x250 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x4c0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7fe7d365d407 Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP:

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd9c663b9ad67dedfc9a3fd3429ddd3e83782b4d

Fixed

ee2502485702e4398cd74dbfb288bfa111d25e62

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd9c663b9ad67dedfc9a3fd3429ddd3e83782b4d

Fixed

62f6175d145e00fc999fd2fcbffad3f59253c66a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd9c663b9ad67dedfc9a3fd3429ddd3e83782b4d

Fixed

e0199c28167a8a4adec036005a8df268b2b68529

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd9c663b9ad67dedfc9a3fd3429ddd3e83782b4d

Fixed

0a356da16fb933abbeeb7aea038c351f3342cd3f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd9c663b9ad67dedfc9a3fd3429ddd3e83782b4d

Fixed

17ce3e5949bc37557305ad46316f41c7875d6366

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.4

v6.12.40

v6.12.41

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.2

v6.15.3

v6.15.4

v6.15.5

v6.15.6

v6.15.7

v6.15.8

v6.15.9

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.3

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.100

v6.6.101

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.6

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.7

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.8

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.9

v6.6.90

v6.6.91

v6.6.92

v6.6.93

v6.6.94

v6.6.95

v6.6.96

v6.6.97

v6.6.98

v6.6.99

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.6.102

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.42

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.10

Type: ECOSYSTEM
Events: Introduced

6.16.0

Fixed

6.16.1