CVE-2025-40078

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-40078

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40078.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-40078

Downstream

AZL-68840

BELL-CVE-2025-40078

DEBIAN-CVE-2025-40078

DLA-4379-1

DLA-4404-1

DSA-6053-1

ECHO-314a-5771-7561

ROOT-OS-DEBIAN-11-CVE-2025-40078

ROOT-OS-DEBIAN-12-CVE-2025-40078

ROOT-OS-DEBIAN-13-CVE-2025-40078

ROOT-OS-UBUNTU-2204-CVE-2025-40078

ROOT-OS-UBUNTU-2404-CVE-2025-40078

SUSE-SU-2025:21040-1

SUSE-SU-2025:21052-1

SUSE-SU-2025:21056-1

SUSE-SU-2025:21064-1

SUSE-SU-2025:21080-1

SUSE-SU-2025:21147-1

SUSE-SU-2025:21180-1

SUSE-SU-2025:4057-1

SUSE-SU-2025:4128-1

SUSE-SU-2025:4132-1

SUSE-SU-2025:4140-1

SUSE-SU-2025:4141-1

SUSE-SU-2025:4189-1

SUSE-SU-2025:4301-1

openSUSE-SU-2025:15702-1

openSUSE-SU-2025:20091-1

openSUSE-SU-2026:10301-1

Related

Published

2025-10-28T11:48:43.548Z

Modified

2026-03-20T12:43:10.326259Z

Summary

bpf: Explicitly check accesses to bpf_sock_addr

Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Explicitly check accesses to bpfsockaddr

Syzkaller found a kernel warning on the following sock_addr program:

0: r0 = 0
1: r2 = *(u32 *)(r1 +60)
2: exit

which triggers:

verifier bug: error during ctx access conversion (0)

This is happening because offset 60 in bpfsockaddr corresponds to an implicit padding of 4 bytes, right after msgsrcip4. Access to this padding isn't rejected in sockaddrisvalidaccess and it thus later fails to convert the access.

This patch fixes it by explicitly checking the various fields of bpfsockaddr in sockaddrisvalidaccess.

I checked the other ctx structures and isvalidaccess functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40078.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1cedee13d25ab118d325f95588c1a084e9317229

Fixed

de44cdc50d2dce8718cb57deddf9cf1be9a7759f

Fixed

76e04bbb4296fb6eac084dbfc27e02ccc744db3e

Fixed

6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec

Fixed

4f00858cd9bbbdf67159e28b85a8ca9e77c83622

Fixed

cdeafacb4f9ff261a96baef519e29480fd7b1019

Fixed

fe9d33f0470350558cb08cecb54cf2267b3a45d2

Fixed

ad8b4fe5617e3c85fc23267f02500c4f3bf0ff69

Fixed

6fabca2fc94d33cdf7ec102058983b086293395f

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40078.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.18.0

Fixed

5.4.301

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.246

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.195

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.156

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.112

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.53

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40078.json"