CVE-2025-38608
📋 TL;DR
This CVE describes a data corruption vulnerability in the Linux kernel's BPF subsystem when used with kTLS (Kernel TLS). When bpf_msg_pop_data() reduces plaintext data length during TLS encryption, the kernel fails to recalculate ciphertext length, causing uninitialized memory to be transmitted. This affects systems using Linux kernel with BPF socket policies and kTLS enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Uninitialized kernel memory containing sensitive data could be transmitted over TLS connections, potentially exposing secrets or causing TLS parsing failures that disrupt communication.
Likely Case
TLS connection errors, data corruption, or transmission of garbage data causing application failures or connection resets.
If Mitigated
Minor performance impact from connection resets or application errors, but no data exposure if proper network segmentation exists.
🎯 Exploit Status
Exploitation requires ability to load BPF programs and use kTLS, typically requiring elevated privileges or specific application configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with commits: 0e853c1464bcf61207f8b5c32d2ac5ee495e859d, 16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb, 178f6a5c8cb3b6be1602de0964cd440243f493c9, 1e480387d4b42776f8957fb148af9d75ce93b96d, 6ba20ff3cdb96a908b9dc93cf247d0b087672e7c
Vendor Advisory: https://git.kernel.org/stable/c/
Restart Required: Yes
Instructions:
1. Identify Linux kernel version. 2. Apply appropriate kernel patch from provided git commits. 3. Rebuild kernel if using custom kernel. 4. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Disable kTLS or BPF socket policies
LinuxDisable either Kernel TLS or BPF socket policies to break the vulnerable code path
echo 0 > /proc/sys/net/tls/enable # Disable kTLS
Remove or disable BPF programs using bpf_msg_pop_data()
🧯 If You Can't Patch
- Disable kTLS feature entirely on affected systems
- Audit and remove BPF programs using bpf_msg_pop_data() function
🔍 How to Verify
Check if Vulnerable:
Check if system uses kTLS and has BPF programs with bpf_msg_pop_data(): lsmod | grep tls, bpftool prog listCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes one of the fix commits: uname -r, check /proc/version📡 Detection & Monitoring
Log Indicators:
- TLS handshake failures
- Application errors related to TLS record parsing
- Kernel logs mentioning BPF or TLS errors
Network Indicators:
- Unexpected TLS connection resets
- Malformed TLS packets in network captures
SIEM Query:
source="kernel" AND ("tls" OR "bpf") AND ("error" OR "fail" OR "corrupt")🔗 References
- https://git.kernel.org/stable/c/0e853c1464bcf61207f8b5c32d2ac5ee495e859d
- https://git.kernel.org/stable/c/16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb
- https://git.kernel.org/stable/c/178f6a5c8cb3b6be1602de0964cd440243f493c9
- https://git.kernel.org/stable/c/1e480387d4b42776f8957fb148af9d75ce93b96d
- https://git.kernel.org/stable/c/6ba20ff3cdb96a908b9dc93cf247d0b087672e7c
- https://git.kernel.org/stable/c/73fc5d04009d3969ff8e8574f0fd769f04124e59
- https://git.kernel.org/stable/c/849d24dc5aed45ebeb3490df429356739256ac40
- https://git.kernel.org/stable/c/90d6ef67440cec2a0aad71a0108c8f216437345c
- https://git.kernel.org/stable/c/ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
