Impact
In Linux kernel BPF sock_ops programs, when the destination and source registers are the same, the macros SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() incorrectly leave the destination register unchanged after a failed full socket check. This stale ctx pointer can be treated as a socket pointer, potentially leading to a stack-out-of-bounds access, or it can be exposed to the verifier as a scalar value, leaking a kernel address. The vulnerability allows old or malicious BPF programs to expose kernel memory pointers.
Affected Systems
All Linux kernel versions before the patch commit 10f86a2a5c91fc4c4d001960f1c21abe52545ef6 and 18e3ffde1822f0b48b1753bf34aa97ce839df1d8 are impacted; users should apply any kernel updates that incorporate these patches.
Risk and Exploitability
The CVSS score of 7.8 indicates moderate severity, and the EPSS score of <1% suggests a low probability of exploitation. The flaw permits a BPF sock_ops program that incorrectly accesses registers to leak kernel pointers or trigger out-of-bounds reads. Exploitation would require loading a malicious BPF sock_ops program, for which the CVE description does not specify the privilege level or exact conditions. The vulnerability is not listed in CISA KEV.
OpenCVE Enrichment