{"id":"CVE-2025-38502","summary":"bpf: Fix oob access in cgroup local storage","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix oob access in cgroup local storage\n\nLonial reported that an out-of-bounds access in cgroup local storage\ncan be crafted via tail calls. Given two programs each utilizing a\ncgroup local storage with a different value size, and one program\ndoing a tail call into the other. The verifier will validate each of\nthe indivial programs just fine. However, in the runtime context\nthe bpf_cg_run_ctx holds an bpf_prog_array_item which contains the\nBPF program as well as any cgroup local storage flavor the program\nuses. Helpers such as bpf_get_local_storage() pick this up from the\nruntime context:\n\n  ctx = container_of(current-\u003ebpf_ctx, struct bpf_cg_run_ctx, run_ctx);\n  storage = ctx-\u003eprog_item-\u003ecgroup_storage[stype];\n\n  if (stype == BPF_CGROUP_STORAGE_SHARED)\n    ptr = &READ_ONCE(storage-\u003ebuf)-\u003edata[0];\n  else\n    ptr = this_cpu_ptr(storage-\u003epercpu_buf);\n\nFor the second program which was called from the originally attached\none, this means bpf_get_local_storage() will pick up the former\nprogram's map, not its own. With mismatching sizes, this can result\nin an unintended out-of-bounds access.\n\nTo fix this issue, we need to extend bpf_map_owner with an array of\nstorage_cookie[] to match on i) the exact maps from the original\nprogram if the second program was using bpf_get_local_storage(), or\nii) allow the tail call combination if the second program was not\nusing any of the cgroup local storage maps.","modified":"2026-04-02T12:48:00.311195Z","published":"2025-08-16T09:34:25.135Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38502.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/41688d1fc5d163a6c2c0e95c0419e2cb31a44648"},{"type":"WEB","url":"https://git.kernel.org/stable/c/66da7cee78590259b400e51a70622ccd41da7bb2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7acfa07c585e3d7a64654d38f0a5c762877d0b9b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c1c74584b9b4043c52e41fec415226e582d266a3"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38502.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38502"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7d9c3427894fe70d1347b4820476bf37736d2ff0"},{"fixed":"c1c74584b9b4043c52e41fec415226e582d266a3"},{"fixed":"66da7cee78590259b400e51a70622ccd41da7bb2"},{"fixed":"7acfa07c585e3d7a64654d38f0a5c762877d0b9b"},{"fixed":"41688d1fc5d163a6c2c0e95c0419e2cb31a44648"},{"fixed":"19341d5c59e8c7e8528e40f8663e99d67810473c"},{"fixed":"abad3d0bad72a52137e0c350c59542d75ae4f513"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38502.json"}}],"schema_version":"1.7.5"}