CVE-2025-39990 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved:

bpf: Check the helper function is valid in get_helper_proto

kernel test robot reported verifier bug [1] where the helper func
pointer could be NULL due to disabled config option.

As Alexei suggested we could check on that in get_helper_proto
directly. Marking tail_call helper func with BPF_PTR_POISON,
because it is unused by design.

[1] https://lore.kernel.org/oe-lkp/202507160818.68358831-lkp@intel.com

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/3d429cb1278e995e22995ef117fa96d223a67e93
https://git.kernel.org/stable/c/6233715b4b714068d6c831d214a4e8792109875a
https://git.kernel.org/stable/c/e4414b01c1cd9887bbde92f946c1ba94e40d6d64

History

Wed, 15 Oct 2025 08:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Check the helper function is valid in get_helper_proto kernel test robot reported verifier bug [1] where the helper func pointer could be NULL due to disabled config option. As Alexei suggested we could check on that in get_helper_proto directly. Marking tail_call helper func with BPF_PTR_POISON, because it is unused by design. [1] https://lore.kernel.org/oe-lkp/202507160818.68358831-lkp@intel.com
Title		bpf: Check the helper function is valid in get_helper_proto
References		https://git.kernel.org/stable/c/3d429cb1278e995e22995ef117fa96d223a67e93 https://git.kernel.org/stable/c/6233715b4b714068d6c831d214a4e8792109875a https://git.kernel.org/stable/c/e4414b01c1cd9887bbde92f946c1ba94e40d6d64

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-10-15T07:56:07.295Z

Updated: 2025-10-15T07:56:07.295Z

Reserved: 2025-04-16T07:20:57.150Z

Link: CVE-2025-39990

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-15T08:15:37.060

Modified: 2025-10-15T08:15:37.060

Link: CVE-2025-39990

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39990", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.150Z", "datePublished": "2025-10-15T07:56:07.295Z", "dateUpdated": "2025-10-15T07:56:07.295Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-15T07:56:07.295Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check the helper function is valid in get_helper_proto\n\nkernel test robot reported verifier bug [1] where the helper func\npointer could be NULL due to disabled config option.\n\nAs Alexei suggested we could check on that in get_helper_proto\ndirectly. Marking tail_call helper func with BPF_PTR_POISON,\nbecause it is unused by design.\n\n [1] https://lore.kernel.org/oe-lkp/202507160818.68358831-lkp@intel.com"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/core.c", "kernel/bpf/verifier.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "3d429cb1278e995e22995ef117fa96d223a67e93", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6233715b4b714068d6c831d214a4e8792109875a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e4414b01c1cd9887bbde92f946c1ba94e40d6d64", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/core.c", "kernel/bpf/verifier.c"], "versions": [{"version": "6.12.50", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.10", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.50"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3d429cb1278e995e22995ef117fa96d223a67e93"}, {"url": "https://git.kernel.org/stable/c/6233715b4b714068d6c831d214a4e8792109875a"}, {"url": "https://git.kernel.org/stable/c/e4414b01c1cd9887bbde92f946c1ba94e40d6d64"}], "title": "bpf: Check the helper function is valid in get_helper_proto", "x_generator": {"engine": "bippy-1.2.0"}}}}