The Linux kernel BPF subsystem contains a flaw in the map_direct_value_addr function where an offset is added to a target address. Later, the resolve_pseudo_ldimm64 routine adds the same offset again, producing an address that extends beyond the intended memory region. A BPF program that can be loaded by the system may therefore access memory outside its allocated area, potentially causing out‑of‑bounds reads or writes and resulting in memory corruption. The weakness is consistent with CWE‑823, the dereference of a null pointer or other improper memory reference.

Every Linux kernel build that includes the original implementation of map_direct_value_addr is affected. The vulnerability was fixed in a kernel commit that corrected the offset calculation, and subsequent releases incorporate the patch. Identifying which kernels contain the unpatched code requires checking kernel version history or the presence of the specific patch.

The CVSS score of 5.5 indicates moderate severity; the EPSS score of < 1% points to a very low probability of exploitation in the wild. The vulnerability is not listed in CISA KEV. An attacker would need the ability to load a custom BPF program, a privilege normally reserved for root or similarly privileged users. No publicly documented exploits exist, so the current risk remains primarily theoretical with a moderate impact should the flaw be triggered.