CVE-2025-38586
📋 TL;DR
A flaw in the ARM64 BPF JIT compiler in the Linux kernel fails to initialize the frame pointer for exception boundary programs, potentially causing kernel crashes due to page faults. This affects Linux systems running on ARM64 architecture with BPF programs configured as exception boundaries. The vulnerability requires local access to trigger.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local denial of service causing kernel panic and system crash, potentially leading to data loss or service disruption.
Likely Case
System instability or crash when specific BPF programs configured as exception boundaries are loaded and executed.
If Mitigated
No impact if systems are patched or don't use exception boundary BPF programs on ARM64.
🎯 Exploit Status
Requires local access and ability to load BPF programs with exception boundary configuration. Exploitation leads to denial of service rather than privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 0dbef493cae7d451f740558665893c000adb2321, 1ce30231e0a2c8c361ee5f8f7f265fc17130adce, b114fcee766d5101eada1aca7bb5fd0a86c89b35, or e23184725dbb72d5d02940222eee36dbba2aa422
Vendor Advisory: https://git.kernel.org/stable/c/0dbef493cae7d451f740558665893c000adb2321
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable BPF exception boundary programs
arm64Prevent loading of BPF programs configured as exception boundaries on ARM64 systems
echo 0 > /proc/sys/net/core/bpf_jit_enable
sysctl -w net.core.bpf_jit_enable=0
🧯 If You Can't Patch
- Restrict BPF program loading to trusted users only
- Monitor system logs for kernel panic or page fault errors related to BPF
🔍 How to Verify
Check if Vulnerable:
Check if running ARM64 Linux kernel and if BPF exception boundary programs are in use. Examine kernel logs for related crashes.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes one of the fix commits: 0dbef493cae7d451f740558665893c000adb2321, 1ce30231e0a2c8c361ee5f8f7f265fc17130adce, b114fcee766d5101eada1aca7bb5fd0a86c89b35, or e23184725dbb72d5d02940222eee36dbba2aa422📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- Page fault errors in dmesg
- BPF program loading failures
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("panic" OR "page fault" OR "BPF") AND arm64