Impact
An off‑by‑one bug in the arm64 BPF JIT causes the signed range check for immediate values to allow one extra bit on either side of the intended signed N‑bit field. When an out‑of‑range value passes the check, the encoding routine masks the raw value into the field, inadvertently setting the sign bit and turning a forward branch into a backward one. This corrupts control flow within the executed BPF program and can lead to incorrect program behavior or data corruption; it does not directly provide arbitrary code execution.
Affected Systems
All Linux kernel installations on ARM64 that enable the BPF JIT and have not applied the commit that fixes the check_imm logic. This includes mainstream distributions, custom kernels, and any kernel that still supports BPF JIT.
Risk and Exploitability
The CVSS score of 7.8 and the EPSS score of < 1% indicate a moderate severity and a low likelihood of widespread exploitation. The flaw is not listed in CISA KEV and currently has no known public exploits. The typical attack vector is inferred to be the ability to load malicious BPF programs, either locally or remotely, that use the disallowed immediate values. Successful exploitation would require a BPF‑capable environment and could result in denial‑of‑service or a stepping‑stone for more complex attacks.
OpenCVE Enrichment
Debian DLA