{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22048", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.810Z", "datePublished": "2025-04-16T14:12:07.679Z", "dateUpdated": "2025-05-26T05:17:20.353Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:17:20.353Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Don't override subprog's return value\n\nThe verifier test `calls: div by 0 in subprog` triggers a panic at the\nld.bu instruction. The ld.bu insn is trying to load byte from memory\naddress returned by the subprog. The subprog actually set the correct\naddress at the a5 register (dedicated register for BPF return values).\nBut at commit 73c359d1d356 (\"LoongArch: BPF: Sign-extend return values\")\nwe also sign extended a5 to the a0 register (return value in LoongArch).\nFor function call insn, we later propagate the a0 register back to a5\nregister. This is right for native calls but wrong for bpf2bpf calls\nwhich expect zero-extended return value in a5 register. So only move a0\nto a5 for native calls (i.e. non-BPF_PSEUDO_CALL)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/loongarch/net/bpf_jit.c"], "versions": [{"version": "0c8d50501bc13cacecc19caaddc10db372592a39", "lessThan": "7df2696256a034405d3c5a71b3a4c54725de4404", "status": "affected", "versionType": "git"}, {"version": "d5d83242a1d778ceb6d8b07c6b491cf7483ca112", "lessThan": "223d565d8892481684091cfbaf3466f2b0e289d3", "status": "affected", "versionType": "git"}, {"version": "73c359d1d356cf10236ccd358bd55edab33e9424", "lessThan": "780628a780b622759d9e5adc76d15432144da1a3", "status": "affected", "versionType": "git"}, {"version": "73c359d1d356cf10236ccd358bd55edab33e9424", "lessThan": "996e90ab446641553e8e21707b38b9709605e0e0", "status": "affected", "versionType": "git"}, {"version": "73c359d1d356cf10236ccd358bd55edab33e9424", "lessThan": "60f3caff1492e5b8616b9578c4bedb5c0a88ed14", "status": "affected", "versionType": "git"}, {"version": "8382e92f90b601acf6d426121e6f4991502e767d", "status": "affected", "versionType": "git"}, {"version": "3b75f627b73d96787a493e2f1187543ba9c056a4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/loongarch/net/bpf_jit.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.87", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.23", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.11", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.2", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.64", "versionEndExcluding": "6.6.87"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.2", "versionEndExcluding": "6.12.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.13.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.14.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7df2696256a034405d3c5a71b3a4c54725de4404"}, {"url": "https://git.kernel.org/stable/c/223d565d8892481684091cfbaf3466f2b0e289d3"}, {"url": "https://git.kernel.org/stable/c/780628a780b622759d9e5adc76d15432144da1a3"}, {"url": "https://git.kernel.org/stable/c/996e90ab446641553e8e21707b38b9709605e0e0"}, {"url": "https://git.kernel.org/stable/c/60f3caff1492e5b8616b9578c4bedb5c0a88ed14"}], "title": "LoongArch: BPF: Don't override subprog's return value", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B567878-4D0F-4353-B6A6-D61ABBA96329", "versionEndExcluding": "6.2", "versionStartIncluding": "6.1.120", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "042FFA18-3C6A-4999-AB8F-4F6F5902BEEA", "versionEndExcluding": "6.6.87", "versionStartIncluding": "6.6.64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CBF5F6E-D446-4CAE-AAA4-413442319824", "versionEndExcluding": "6.12", "versionStartIncluding": "6.11.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5C71FC9-A61C-431A-9215-38D09F5A2FF3", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.12.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Don't override subprog's return value\n\nThe verifier test `calls: div by 0 in subprog` triggers a panic at the\nld.bu instruction. The ld.bu insn is trying to load byte from memory\naddress returned by the subprog. The subprog actually set the correct\naddress at the a5 register (dedicated register for BPF return values).\nBut at commit 73c359d1d356 (\"LoongArch: BPF: Sign-extend return values\")\nwe also sign extended a5 to the a0 register (return value in LoongArch).\nFor function call insn, we later propagate the a0 register back to a5\nregister. This is right for native calls but wrong for bpf2bpf calls\nwhich expect zero-extended return value in a5 register. So only move a0\nto a5 for native calls (i.e. non-BPF_PSEUDO_CALL)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: LoongArch: BPF: No anule el valor de retorno del subprograma La prueba del verificador `calls: div by 0 in subprog` desencadena un p\u00e1nico en la instrucci\u00f3n ld.bu. La instrucci\u00f3n ld.bu insn intenta cargar un byte desde la direcci\u00f3n de memoria devuelta por el subprograma. El subprograma en realidad estableci\u00f3 la direcci\u00f3n correcta en el registro a5 (registro dedicado para valores de retorno de BPF). Pero en el commit 73c359d1d356 (\"LoongArch: BPF: Valores de retorno con signo extendido\") tambi\u00e9n firmamos a5 extendido en el registro a0 (valor de retorno en LoongArch). Para la instrucci\u00f3n de llamada a funci\u00f3n insn, luego propagamos el registro a0 de vuelta al registro a5. Esto es correcto para llamadas nativas, pero incorrecto para llamadas bpf2bpf que esperan un valor de retorno extendido cero en el registro a5. Por lo tanto, solo mueva a0 a a5 para llamadas nativas (es decir, no BPF_PSEUDO_CALL)."}], "id": "CVE-2025-22048", "lastModified": "2025-10-31T20:20:20.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-16T15:15:58.220", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/223d565d8892481684091cfbaf3466f2b0e289d3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/60f3caff1492e5b8616b9578c4bedb5c0a88ed14"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/780628a780b622759d9e5adc76d15432144da1a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7df2696256a034405d3c5a71b3a4c54725de4404"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/996e90ab446641553e8e21707b38b9709605e0e0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: LoongArch: BPF: Don't override subprog's return value", "id": "2360255", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360255"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nLoongArch: BPF: Don't override subprog's return value\nThe verifier test `calls: div by 0 in subprog` triggers a panic at the\nld.bu instruction. The ld.bu insn is trying to load byte from memory\naddress returned by the subprog. The subprog actually set the correct\naddress at the a5 register (dedicated register for BPF return values).\nBut at commit 73c359d1d356 (\"LoongArch: BPF: Sign-extend return values\")\nwe also sign extended a5 to the a0 register (return value in LoongArch).\nFor function call insn, we later propagate the a0 register back to a5\nregister. This is right for native calls but wrong for bpf2bpf calls\nwhich expect zero-extended return value in a5 register. So only move a0\nto a5 for native calls (i.e. non-BPF_PSEUDO_CALL)."], "name": "CVE-2025-22048", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22048\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22048\nhttps://lore.kernel.org/linux-cve-announce/2025041602-CVE-2025-22048-4738@gregkh/T"], "threat_severity": "Low"}

{}