CVE-2025-22048
Last modified
CVE-2025-22048 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Don't override subprog's return value The verifier test `calls: div by 0 in subprog` triggers a panic at the ld.bu instruction. The ld.bu insn is trying to load byte from memory address returned by the subprog. EPSS estimates a 0.17% chance of exploitation in the next 30 days.
Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Don't override subprog's return value The verifier test `calls: div by 0 in subprog` triggers a panic at the ld.bu instruction. The ld.bu insn is trying to load byte from memory address returned by the subprog. The subprog actually set the correct address at the a5 register (dedicated register for BPF return values). But at commit 73c359d1d356 ("LoongArch: BPF: Sign-extend return values") we also sign extended a5 to the a0 register (return value in LoongArch). For function call insn, we later propagate the a0 register back to a5 register. This is right for native calls but wrong for bpf2bpf calls which expect zero-extended return value in a5 register. So only move a0 to a5 for native calls (i.e. non-BPF_PSEUDO_CALL).
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 6.1.120, < 6.2 |
| Linux | Linux Kernel | >= 6.6.64, < 6.6.87 |
| Linux | Linux Kernel | >= 6.11.11, < 6.12 |
| Linux | Linux Kernel | >= 6.12.2, < 6.12.23 |
| Linux | Linux Kernel | >= 6.13, < 6.13.11 |
| Linux | Linux Kernel | >= 6.14, < 6.14.2 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-22048?
How severe is CVE-2025-22048?
How do I fix CVE-2025-22048?
Are you affected by CVE-2025-22048?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST