Impact
An out‑of‑bounds read occurs in the Linux kernel when a BPF map of type CGROUP_STORAGE with a value size not rounded to 8 bytes is copied into a per‑CPU map of the same size. The kernel routine pcpu_init_value assumes source values are 8‑byte aligned and copies 8 bytes, which causes a read beyond the source buffer. This vulnerability allows an attacker to read unintended kernel memory, potentially exposing sensitive information; the description does not indicate that the read could directly lead to kernel execution or a crash, so the primary impact is information disclosure. This is a CWE‑805: Out‑of‑Bounds Read vulnerability.
Affected Systems
Linux kernel versions prior to the commit 576afddfee8d1108ee299bf10f581593540d1a36 are affected. All kernel releases that expose the BPF interface for CGROUP_STORAGE and per‑CPU maps without this patch, which includes stable releases up to at least the 6.x series, are potentially exposed.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity. The EPSS score of < 1% suggests a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local, with an attacker able to create and manipulate BPF maps; the attacker must first create a CGROUP_STORAGE map with an unaligned value size, then create a matching per‑CPU map and update it with the CGROUP_STORAGE data. An out‑of‑bounds read will then expose adjacent kernel memory. No mitigations exist other than applying the patch or restricting the creation of such map combinations.
OpenCVE Enrichment