Impact
The vulnerability resides in the Linux kernel, where uprobe programs that are allowed to write to the BPF program context (kprobe_write_ctx) can be abused through a freplace BPF program. A freplace program can alter values in the kernel register structure (struct pt_regs). When a kernel function is invoked via a kprobe, the modified registers are used, allowing an attacker to force the first argument of any kernel function to a value of their choosing, including zero. This manipulation can lead to arbitrary kernel‑mode escalation. The weakness is identified as CWE‑94, indicating a format‑string or code injection type flaw in kernel BPF handling.
Affected Systems
The affected product is the Linux kernel across all vendors that ship Linux. No specific kernel version range is listed, indicating the issue exists wherever this combination of kprobe and freplace BPF functionality is present.
Risk and Exploitability
The EPSS score of 0.00166 suggests a very low probability of exploitation; the vulnerability is not listed in the CISA KEV catalog, yet its CVSS of 7.0 highlights significant impact. Attacking this flaw would require local access with the ability to load BPF programs, typically requiring root or CAP_SYS_ADMIN privileges. The attack vector is inferred to be local; an attacker can attach a freplace BPF program to a kprobe and manipulate kernel registers so that the first argument of any kernel function is forced to an attacker‑chosen value, potentially leading to arbitrary kernel‑mode escalation. The patch eliminates this attack path by disallowing freplace programs on kprobe programs with mismatched kprobe_write_ctx values.
OpenCVE Enrichment