{"id":"CVE-2025-38591","summary":"bpf: Reject narrower access to pointer ctx fields","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n    r0 = *(u8 *)(r1 + 169);\n    exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn't match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn-\u003eoff\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n    verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn't get reported to the mailing list.","modified":"2026-04-02T12:48:02.880708Z","published":"2025-08-19T17:03:12.508Z","related":["CGA-hf9w-f84g-wm76","SUSE-SU-2025:03272-1","SUSE-SU-2025:03290-1","SUSE-SU-2025:03301-1","SUSE-SU-2025:03382-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20653-1","SUSE-SU-2025:20669-1","SUSE-SU-2025:20739-1","SUSE-SU-2025:20756-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2026:0473-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38591.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/058a0da4f6d916a79b693384111bb80a90d73763"},{"type":"WEB","url":"https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/33660d44e789edb4f303210c813fc56d56377a90"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7847c4140e06f6e87229faae22cc38525334c156"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/feae34c992eb7191862fb1594c704fbbf650fef8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38591.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38591"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f96da09473b52c09125cc9bf7d7d4576ae8229e0"},{"fixed":"7847c4140e06f6e87229faae22cc38525334c156"},{"fixed":"feae34c992eb7191862fb1594c704fbbf650fef8"},{"fixed":"33660d44e789edb4f303210c813fc56d56377a90"},{"fixed":"058a0da4f6d916a79b693384111bb80a90d73763"},{"fixed":"202900ceeef67458c964c2af6e1427c8e533ea7c"},{"fixed":"e09299225d5ba3916c91ef70565f7d2187e4cca0"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38591.json"}}],"schema_version":"1.7.5"}