CVE-2025-37963
📋 TL;DR
This CVE addresses a vulnerability in the Linux kernel's BPF subsystem on ARM64 architecture where Branch History Buffer (BHB) mitigations were incorrectly applied to all cBPF programs. The fix ensures mitigations only apply to cBPF programs loaded by unprivileged users, preventing unnecessary performance overhead. Systems running Linux kernel on ARM64 hardware with BPF enabled are affected.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
If exploited, this could potentially allow bypass of BHB mitigations for cBPF programs, increasing risk of speculative execution attacks like Spectre-BHB on ARM64 systems.
Likely Case
Most likely impact is performance degradation due to unnecessary BHB mitigations being applied to privileged cBPF programs, with minimal security impact in properly configured systems.
If Mitigated
With proper kernel patches applied, only unprivileged cBPF programs receive BHB mitigations, maintaining security while optimizing performance.
🎯 Exploit Status
Exploitation would require combining this with other vulnerabilities or misconfigurations to achieve meaningful impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 038866e01ea5e5a3d948898ac216e531e7848669, 477481c4348268136227348984b6699d6370b685, 6e52d043f7dbf1839a24a3fab2b12b0d3839de7a, 80251f62028f1ab2e09be5ca3123f84e8b00389a, df53d418709205450a02bb4d71cbfb4ff86f2c1e
Vendor Advisory: https://git.kernel.org/stable/c/038866e01ea5e5a3d948898ac216e531e7848669
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable unprivileged BPF
linuxPrevent unprivileged users from loading BPF programs, which eliminates the attack surface.
sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled = 1' >> /etc/sysctl.conf
sysctl -p
Disable BPF JIT
linuxDisable BPF Just-In-Time compilation to reduce attack surface.
sysctl -w net.core.bpf_jit_enable=0
echo 'net.core.bpf_jit_enable = 0' >> /etc/sysctl.conf
sysctl -p
🧯 If You Can't Patch
- Implement strict access controls to prevent unprivileged users from executing code on affected systems
- Monitor for unusual BPF program loading activity and implement least privilege principles
🔍 How to Verify
Check if Vulnerable:
Check kernel version and verify if BPF is enabled: cat /proc/sys/kernel/unprivileged_bpf_disabled (0 means vulnerable if unpatched)Check Version:
uname -rVerify Fix Applied:
Check kernel version contains fix commits: uname -r and verify with distribution's changelog📡 Detection & Monitoring
Log Indicators:
- Audit logs showing BPF program loads by unprivileged users
- Kernel logs related to BPF operations
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
source="audit.log" AND (bpf OR ebpf) AND user!="root"🔗 References
- https://git.kernel.org/stable/c/038866e01ea5e5a3d948898ac216e531e7848669
- https://git.kernel.org/stable/c/477481c4348268136227348984b6699d6370b685
- https://git.kernel.org/stable/c/6e52d043f7dbf1839a24a3fab2b12b0d3839de7a
- https://git.kernel.org/stable/c/80251f62028f1ab2e09be5ca3123f84e8b00389a
- https://git.kernel.org/stable/c/df53d418709205450a02bb4d71cbfb4ff86f2c1e
- https://git.kernel.org/stable/c/e5f5100f1c64ac6c72671b2cf6b46542fce93706
- https://git.kernel.org/stable/c/f300769ead032513a68e4a02e806393402e626f8
- https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
