CVE-2025-40169

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-40169
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40169.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40169
Downstream
Published
2025-11-12T10:46:51Z
Modified
2025-11-12T20:46:59.788012Z
Summary
bpf: Reject negative offsets for ALU ops
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject negative offsets for ALU ops

When verifying BPF programs, the checkaluop() function validates instructions with ALU operations. The 'offset' field in these instructions is a signed 16-bit integer.

The existing check 'insn->off > 1' was intended to ensure the offset is either 0, or 1 for BPFMOD/BPFDIV. However, because 'insn->off' is signed, this check incorrectly accepts all negative values (e.g., -1).

This commit tightens the validation by changing the condition to '(insn->off != 0 && insn->off != 1)'. This ensures that any value other than the explicitly permitted 0 and 1 is rejected, hardening the verifier against malformed BPF programs.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ec0e2da95f72d4a46050a4d994e4fe471474fd80
Fixed
3bce44b344040e5eef3d64d38b157c15304c0aab
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ec0e2da95f72d4a46050a4d994e4fe471474fd80
Fixed
5017c302ca4b2a45149ad64e058fa2d5623c068f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ec0e2da95f72d4a46050a4d994e4fe471474fd80
Fixed
21167bf70dbe400563e189ac632258d35eda38b5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ec0e2da95f72d4a46050a4d994e4fe471474fd80
Fixed
55c0ced59fe17dee34e9dfd5f7be63cbab207758

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.52
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.17.1
v6.17.2
v6.5
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.100
v6.6.101
v6.6.102
v6.6.103
v6.6.104
v6.6.105
v6.6.106
v6.6.107
v6.6.108
v6.6.109
v6.6.11
v6.6.110
v6.6.111
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.6.97
v6.6.98
v6.6.99
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "digest": {
            "line_hashes": [
                "54347899927396344585026227254332158878",
                "123484423166798147947012779328499431699",
                "280013472988625345711922733697115001747",
                "73359265110944634233235237634423777133",
                "331627869352445197094502023200886457251",
                "131434319104246021568818906719289275979",
                "121067180857091352785857959548866833749",
                "79086041723558375911370180152848932863"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "kernel/bpf/verifier.c"
        },
        "deprecated": false,
        "id": "CVE-2025-40169-177b7735",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3bce44b344040e5eef3d64d38b157c15304c0aab",
        "signature_type": "Line"
    },
    {
        "digest": {
            "length": 5600.0,
            "function_hash": "300514061916402605562027912898265524131"
        },
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "check_alu_op"
        },
        "deprecated": false,
        "id": "CVE-2025-40169-52619950",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5017c302ca4b2a45149ad64e058fa2d5623c068f",
        "signature_type": "Function"
    },
    {
        "digest": {
            "line_hashes": [
                "54347899927396344585026227254332158878",
                "123484423166798147947012779328499431699",
                "280013472988625345711922733697115001747",
                "73359265110944634233235237634423777133",
                "331627869352445197094502023200886457251",
                "131434319104246021568818906719289275979",
                "121067180857091352785857959548866833749",
                "79086041723558375911370180152848932863"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "kernel/bpf/verifier.c"
        },
        "deprecated": false,
        "id": "CVE-2025-40169-6385b624",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@21167bf70dbe400563e189ac632258d35eda38b5",
        "signature_type": "Line"
    },
    {
        "digest": {
            "line_hashes": [
                "54347899927396344585026227254332158878",
                "123484423166798147947012779328499431699",
                "280013472988625345711922733697115001747",
                "73359265110944634233235237634423777133",
                "331627869352445197094502023200886457251",
                "131434319104246021568818906719289275979",
                "121067180857091352785857959548866833749",
                "79086041723558375911370180152848932863"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "kernel/bpf/verifier.c"
        },
        "deprecated": false,
        "id": "CVE-2025-40169-7bae9002",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5017c302ca4b2a45149ad64e058fa2d5623c068f",
        "signature_type": "Line"
    },
    {
        "digest": {
            "length": 5832.0,
            "function_hash": "323128750765487431060607897376675746271"
        },
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "check_alu_op"
        },
        "deprecated": false,
        "id": "CVE-2025-40169-939da481",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@21167bf70dbe400563e189ac632258d35eda38b5",
        "signature_type": "Function"
    },
    {
        "digest": {
            "line_hashes": [
                "54347899927396344585026227254332158878",
                "123484423166798147947012779328499431699",
                "280013472988625345711922733697115001747",
                "73359265110944634233235237634423777133",
                "331627869352445197094502023200886457251",
                "131434319104246021568818906719289275979",
                "121067180857091352785857959548866833749",
                "79086041723558375911370180152848932863"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "kernel/bpf/verifier.c"
        },
        "deprecated": false,
        "id": "CVE-2025-40169-ac6708d5",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@55c0ced59fe17dee34e9dfd5f7be63cbab207758",
        "signature_type": "Line"
    },
    {
        "digest": {
            "length": 5696.0,
            "function_hash": "307828354079035225810891447153493504374"
        },
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "check_alu_op"
        },
        "deprecated": false,
        "id": "CVE-2025-40169-e3fe4b76",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@55c0ced59fe17dee34e9dfd5f7be63cbab207758",
        "signature_type": "Function"
    },
    {
        "digest": {
            "length": 5195.0,
            "function_hash": "100790947869994854373177542030359229402"
        },
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "check_alu_op"
        },
        "deprecated": false,
        "id": "CVE-2025-40169-f3289a62",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3bce44b344040e5eef3d64d38b157c15304c0aab",
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.112
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.53
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.17.3