Login Sign Up

CVE-2025-38502

7.1 HIGH

📋 TL;DR

This vulnerability in the Linux kernel allows an attacker to perform out-of-bounds memory access via BPF programs using cgroup local storage with tail calls. It affects systems running vulnerable Linux kernel versions with BPF enabled. Attackers could potentially read or write kernel memory beyond allocated boundaries.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not specified in CVE, but patches available in stable kernel trees
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires BPF subsystem to be enabled and accessible (typically requires CAP_BPF or CAP_SYS_ADMIN capabilities)

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory corruption leading to privilege escalation, denial of service, or information disclosure

🟠

Likely Case

Kernel panic or system crash causing denial of service

🟢

If Mitigated

Limited impact if BPF is disabled or proper kernel hardening is in place

🌐 Internet-Facing: MEDIUM - Requires BPF program execution capability, which typically requires local access or specific services
🏢 Internal Only: MEDIUM - Attackers with local access could exploit this vulnerability

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to load and execute BPF programs, typically requiring elevated privileges

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (commits referenced in CVE)

Vendor Advisory: https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from distribution vendor 2. Reboot system to load new kernel 3. Verify kernel version after reboot

🔧 Temporary Workarounds

Disable BPF subsystem

linux

Prevents loading of BPF programs that could exploit this vulnerability

echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
sysctl -w kernel.unprivileged_bpf_disabled=1

Restrict BPF capabilities

linux

Limit which users can load BPF programs using Linux capabilities

setcap -r /usr/bin/bpftool
Remove CAP_BPF and CAP_SYS_ADMIN from non-privileged users

🧯 If You Can't Patch

  • Implement strict capability controls to prevent unauthorized BPF program loading
  • Monitor for suspicious BPF program loading and execution activities

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with distribution's security advisories for affected versions

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version matches patched version from vendor advisory

📡 Detection & Monitoring

Log Indicators:

  • Kernel oops messages
  • System crashes/panics
  • Audit logs showing BPF program loading

SIEM Query:

source="kernel" AND ("oops" OR "panic" OR "BPF")

📊 Metadata

CVE ID: CVE-2025-38502
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
EPSS Score: 0.02% exploit probability (2.6th percentile)
Published: August 16, 2025
Last Updated: January 7, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38502, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)