CVE-2025-38285
📋 TL;DR
A Linux kernel vulnerability in the BPF subsystem where nested tracepoint calls trigger a WARN_ON_ONCE warning, potentially causing kernel panic or system instability. This affects systems running vulnerable Linux kernel versions with BPF tracing enabled. The issue was discovered through syzkaller fuzzing.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially disrupting critical services.
Likely Case
System instability or crash when specific BPF programs trigger nested tracepoint calls, primarily affecting debugging/tracing scenarios.
If Mitigated
Minor performance impact or warning messages in logs if BPF tracing is disabled or limited.
🎯 Exploit Status
Requires local access and ability to load BPF programs (typically requires CAP_BPF or root privileges). Discovered through fuzzing, not known to be actively exploited.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commit 147ea936fc6fa8fe0c93f0df918803a5375ca535 or later
Vendor Advisory: https://git.kernel.org/stable/c/147ea936fc6fa8fe0c93f0df918803a5375ca535
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Check distribution-specific security advisories. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable BPF tracing
linuxPrevent BPF programs from using raw tracepoints that could trigger the nested call issue
sysctl -w kernel.bpf_disabled=1
Restrict BPF capabilities
linuxLimit which users can load BPF programs using capabilities or namespaces
setcap -r /usr/bin/bpftool
Remove CAP_BPF from non-essential users
🧯 If You Can't Patch
- Implement strict BPF program auditing and monitoring
- Isolate critical systems and limit BPF usage to trusted processes only
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if commit 147ea936fc6fa8fe0c93f0df918803a5375ca535 is missing: uname -r && git log --oneline | grep '147ea936fc6fa8fe0c93f0df918803a5375ca535'Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commit: grep -q '147ea936fc6fa8fe0c93f0df918803a5375ca535' /proc/version || echo 'Patched'📡 Detection & Monitoring
Log Indicators:
- Kernel WARN messages about get_bpf_raw_tp_regs
- System crashes or instability when BPF tracing is active
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND "WARNING.*get_bpf_raw_tp_regs" OR "kernel panic"🔗 References
- https://git.kernel.org/stable/c/147ea936fc6fa8fe0c93f0df918803a5375ca535
- https://git.kernel.org/stable/c/18e8cbbae79cb35bdce8a01c889827b9799c762e
- https://git.kernel.org/stable/c/3880cdbed1c4607e378f58fa924c5d6df900d1d3
- https://git.kernel.org/stable/c/44ebe361abb322d2afd77930fa767a99f271c4d1
- https://git.kernel.org/stable/c/6d8f39875a10a194051c3eaefebc7ac06a34aaf3
- https://git.kernel.org/stable/c/c98cdf6795a36bca163ebb40411fef1687b9eb13
- https://git.kernel.org/stable/c/e167414beabb1e941fe563a96becc98627d5bdf6
- https://git.kernel.org/stable/c/ee90be48edb3dac612e0b7f5332482a9e8be2696
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
