Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Forget ranges when refining tnum after JSET

Syzbot reported a kernel warning due to a range invariant violation on
the following BPF program.

0: call bpf_get_netns_cookie
1: if r0 == 0 goto <exit>
2: if r0 & Oxffffffff goto <exit>

The issue is on the path where we fall through both jumps.

That path is unreachable at runtime: after insn 1, we know r0 != 0, but
with the sign extension on the jset, we would only fallthrough insn 2
if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to
figure this out, so the verifier walks all branches. The verifier then
refines the register bounds using the second condition and we end
up with inconsistent bounds on this unreachable path:

1: if r0 == 0 goto <exit>
r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff)
2: if r0 & 0xffffffff goto <exit>
r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0)
r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0)

Improving the range refinement for JSET to cover all cases is tricky. We
also don't expect many users to rely on JSET given LLVM doesn't generate
those instructions. So instead of improving the range refinement for
JSETs, Eduard suggested we forget the ranges whenever we're narrowing
tnums after a JSET. This patch implements that approach.
Published: 2025-09-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Trusted verifier logic flaw that may allow BPF programs to bypass safety checks
Action: Patch
AI Analysis

Impact

The kernel’s BPF verifier incorrectly refines register bounds when a JSET instruction narrows a tnum. The verifier mistakenly applies inconsistent ranges to a path that is theoretically unreachable, producing misleading bounds that could let a crafted BPF program pass verification. If a malicious BPF program is accepted, it may execute unintended kernel code or corrupt kernel memory, resulting in privilege escalation or denial of service. The flaw is a logic error in the verifier’s range‐refinement routine.

Affected Systems

Any Linux kernel prior to the merge of the range‐forgetting change is vulnerable. The patch was introduced in the mainline kernel and rolled into recent release streams, so systems running earlier kernels lack the fix.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity, while the EPSS score of less than 1% shows exploitation is unlikely under ordinary circumstances. The issue is not listed in the CISA KEV catalog. Exploitation would require a local user or root to construct and load a custom BPF program; the attack is sophisticated and relies on precise manipulation of verifier state, making it a targeted local threat.

Generated by OpenCVE AI on April 20, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that contains the BPF verifier fix.
  • Reboot the system after the update to ensure the new kernel is in use.
  • If a kernel upgrade cannot be performed immediately, limit BPF program loading to privileged users and consider disabling nonessential BPF features, such as setting net.core.bpf_jit_enable=0 via sysctl.

Generated by OpenCVE AI on April 20, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6243-1 linux security update
EUVD EUVD EUVD-2025-28963 In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program. 0: call bpf_get_netns_cookie 1: if r0 == 0 goto <exit> 2: if r0 & Oxffffffff goto <exit> The issue is on the path where we fall through both jumps. That path is unreachable at runtime: after insn 1, we know r0 != 0, but with the sign extension on the jset, we would only fallthrough insn 2 if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to figure this out, so the verifier walks all branches. The verifier then refines the register bounds using the second condition and we end up with inconsistent bounds on this unreachable path: 1: if r0 == 0 goto <exit> r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) 2: if r0 & 0xffffffff goto <exit> r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0) Improving the range refinement for JSET to cover all cases is tricky. We also don't expect many users to rely on JSET given LLVM doesn't generate those instructions. So instead of improving the range refinement for JSETs, Eduard suggested we forget the ranges whenever we're narrowing tnums after a JSET. This patch implements that approach.
Ubuntu USN Ubuntu USN USN-8028-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-1 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-4 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-5 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-2 Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-6 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-1 Linux kernel (Low Latency) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-7 Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-8 Linux kernel (IBM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-2 Linux kernel (Xilinx) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-2 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8126-1 Linux kernel (Azure) vulnerabilities
History

Mon, 20 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-213
CWE-251

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 25 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Fri, 12 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Thu, 11 Sep 2025 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program. 0: call bpf_get_netns_cookie 1: if r0 == 0 goto <exit> 2: if r0 & Oxffffffff goto <exit> The issue is on the path where we fall through both jumps. That path is unreachable at runtime: after insn 1, we know r0 != 0, but with the sign extension on the jset, we would only fallthrough insn 2 if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to figure this out, so the verifier walks all branches. The verifier then refines the register bounds using the second condition and we end up with inconsistent bounds on this unreachable path: 1: if r0 == 0 goto <exit> r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) 2: if r0 & 0xffffffff goto <exit> r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0) Improving the range refinement for JSET to cover all cases is tricky. We also don't expect many users to rely on JSET given LLVM doesn't generate those instructions. So instead of improving the range refinement for JSETs, Eduard suggested we forget the ranges whenever we're narrowing tnums after a JSET. This patch implements that approach.
Title bpf: Forget ranges when refining tnum after JSET
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T21:35:31.004Z

Reserved: 2025-04-16T07:20:57.125Z

Link: CVE-2025-39748

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2025-09-11T17:15:38.237

Modified: 2026-04-18T09:16:11.450

Link: CVE-2025-39748

cve-icon Redhat

Severity : Low

Publid Date: 2025-09-11T00:00:00Z

Links: CVE-2025-39748 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses