{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38586", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.026Z", "datePublished": "2025-08-19T17:03:08.012Z", "dateUpdated": "2025-09-29T05:54:18.300Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-29T05:54:18.300Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix fp initialization for exception boundary\n\nIn the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF\nprogram, find_used_callee_regs() is not called because for a program\nacting as exception boundary, all callee saved registers are saved.\nfind_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP\nbeing used in any of the instructions.\n\nFor programs acting as exception boundary, ctx->fp_used remains false\neven if frame pointer is used by the program and therefore, FP is not\nset-up for such programs in the prologue. This can cause the kernel to\ncrash due to a pagefault.\n\nFix it by setting ctx->fp_used = true for exception boundary programs as\nfp is always saved in such programs."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/net/bpf_jit_comp.c"], "versions": [{"version": "5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff", "lessThan": "0dbef493cae7d451f740558665893c000adb2321", "status": "affected", "versionType": "git"}, {"version": "5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff", "lessThan": "e23184725dbb72d5d02940222eee36dbba2aa422", "status": "affected", "versionType": "git"}, {"version": "5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff", "lessThan": "1ce30231e0a2c8c361ee5f8f7f265fc17130adce", "status": "affected", "versionType": "git"}, {"version": "5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff", "lessThan": "b114fcee766d5101eada1aca7bb5fd0a86c89b35", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/net/bpf_jit_comp.c"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.42", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.10", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.1", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.42"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.15.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.16.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0dbef493cae7d451f740558665893c000adb2321"}, {"url": "https://git.kernel.org/stable/c/e23184725dbb72d5d02940222eee36dbba2aa422"}, {"url": "https://git.kernel.org/stable/c/1ce30231e0a2c8c361ee5f8f7f265fc17130adce"}, {"url": "https://git.kernel.org/stable/c/b114fcee766d5101eada1aca7bb5fd0a86c89b35"}], "title": "bpf, arm64: Fix fp initialization for exception boundary", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1FC3F76F-C8CF-4B19-AC3D-AA1AE05558D7", "versionEndExcluding": "6.12.42", "versionStartIncluding": "6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5890C690-B295-40C2-9121-FF5F987E5142", "versionEndExcluding": "6.15.10", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "58182352-D7DF-4CC9-841E-03C1D852C3FB", "versionEndExcluding": "6.16.1", "versionStartIncluding": "6.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix fp initialization for exception boundary\n\nIn the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF\nprogram, find_used_callee_regs() is not called because for a program\nacting as exception boundary, all callee saved registers are saved.\nfind_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP\nbeing used in any of the instructions.\n\nFor programs acting as exception boundary, ctx->fp_used remains false\neven if frame pointer is used by the program and therefore, FP is not\nset-up for such programs in the prologue. This can cause the kernel to\ncrash due to a pagefault.\n\nFix it by setting ctx->fp_used = true for exception boundary programs as\nfp is always saved in such programs."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf, arm64: Arreglar la inicializaci\u00f3n de fp para el l\u00edmite de excepci\u00f3n En el JIT BPF de ARM64 cuando se configura prog->aux->exception_boundary para un programa BPF, no se llama a find_used_callee_regs() porque para un programa que act\u00faa como l\u00edmite de excepci\u00f3n, se guardan todos los registros guardados del llamado. find_used_callee_regs() establece `ctx->fp_used = true;` cuando ve que se usa FP en cualquiera de las instrucciones. Para los programas que act\u00faan como l\u00edmite de excepci\u00f3n, ctx->fp_used permanece falso incluso si el programa usa el puntero de frame y, por lo tanto, FP no est\u00e1 configurado para tales programas en el pr\u00f3logo. Esto puede hacer que el kernel se bloquee debido a un fallo de p\u00e1gina. Corr\u00edjalo configurando ctx->fp_used = true para los programas con l\u00edmite de excepci\u00f3n, ya que fp siempre se guarda en tales programas."}], "id": "CVE-2025-38586", "lastModified": "2025-11-26T17:58:10.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-08-19T17:15:36.113", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0dbef493cae7d451f740558665893c000adb2321"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1ce30231e0a2c8c361ee5f8f7f265fc17130adce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b114fcee766d5101eada1aca7bb5fd0a86c89b35"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e23184725dbb72d5d02940222eee36dbba2aa422"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bpf, arm64: Fix fp initialization for exception boundary", "id": "2389486", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389486"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38586", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38586\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38586\nhttps://lore.kernel.org/linux-cve-announce/2025081915-CVE-2025-38586-789b@gregkh/T"], "threat_severity": "Low"}

{"created": "2025-08-21T12:31:36.049274+00:00", "updated": "2025-08-21T12:31:36.049343+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}