{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-22087", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.817Z", "datePublished": "2025-04-16T14:12:35.359Z", "dateUpdated": "2026-05-11T21:12:29.682Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:12:29.682Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix array bounds error with may_goto\n\nmay_goto uses an additional 8 bytes on the stack, which causes the\ninterpreters[] array to go out of bounds when calculating index by\nstack_size.\n\n1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT\ncases, reject loading directly.\n\n2. For non-JIT cases, calculating interpreters[idx] may still cause\nout-of-bounds array access, and just warn about it.\n\n3. For jit_requested cases, the execution of bpf_func also needs to be\nwarned. So move the definition of function __bpf_prog_ret0_warn out of\nthe macro definition CONFIG_BPF_JIT_ALWAYS_ON."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/core.c", "kernel/bpf/verifier.c"], "versions": [{"version": "011832b97b311bb9e3c27945bc0d1089a14209c9", "lessThan": "19e6817f84000d0b06f09fd69ebd56217842c122", "status": "affected", "versionType": "git"}, {"version": "011832b97b311bb9e3c27945bc0d1089a14209c9", "lessThan": "4524b7febdd55fb99ae2e1f48db64019fa69e643", "status": "affected", "versionType": "git"}, {"version": "011832b97b311bb9e3c27945bc0d1089a14209c9", "lessThan": "1a86ae57b2600e5749f5f674e9d4296ac00c69a8", "status": "affected", "versionType": "git"}, {"version": "011832b97b311bb9e3c27945bc0d1089a14209c9", "lessThan": "6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/core.c", "kernel/bpf/verifier.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.23", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.11", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.2", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.13.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.14.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.15"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/19e6817f84000d0b06f09fd69ebd56217842c122"}, {"url": "https://git.kernel.org/stable/c/4524b7febdd55fb99ae2e1f48db64019fa69e643"}, {"url": "https://git.kernel.org/stable/c/1a86ae57b2600e5749f5f674e9d4296ac00c69a8"}, {"url": "https://git.kernel.org/stable/c/6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0"}], "title": "bpf: Fix array bounds error with may_goto", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "10F3EB18-ACA3-4775-AC8D-C1CC227D2763", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix array bounds error with may_goto\n\nmay_goto uses an additional 8 bytes on the stack, which causes the\ninterpreters[] array to go out of bounds when calculating index by\nstack_size.\n\n1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT\ncases, reject loading directly.\n\n2. For non-JIT cases, calculating interpreters[idx] may still cause\nout-of-bounds array access, and just warn about it.\n\n3. For jit_requested cases, the execution of bpf_func also needs to be\nwarned. So move the definition of function __bpf_prog_ret0_warn out of\nthe macro definition CONFIG_BPF_JIT_ALWAYS_ON."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Correcci\u00f3n del error de los l\u00edmites de la matriz con may_goto. may_goto utiliza 8 bytes adicionales en la pila, lo que provoca que la matriz interpreters[] salga de los l\u00edmites al calcular el \u00edndice mediante stack_size. 1. Si se reescribe un programa BPF, reeval\u00fae el tama\u00f1o de la pila. En casos que no sean JIT, rechace la carga directamente. 2. En casos que no sean JIT, el c\u00e1lculo de interpreters[idx] puede seguir provocando un acceso a la matriz fuera de los l\u00edmites y simplemente advertir al respecto. 3. En casos con jit_requested, tambi\u00e9n se debe advertir la ejecuci\u00f3n de bpf_func. Por lo tanto, mueva la definici\u00f3n de la funci\u00f3n __bpf_prog_ret0_warn fuera de la definici\u00f3n de la macro CONFIG_BPF_JIT_ALWAYS_ON."}], "id": "CVE-2025-22087", "lastModified": "2025-10-31T20:57:00.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-16T15:16:02.903", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/19e6817f84000d0b06f09fd69ebd56217842c122"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1a86ae57b2600e5749f5f674e9d4296ac00c69a8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4524b7febdd55fb99ae2e1f48db64019fa69e643"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:6966", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.12.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:6966", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.12.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}], "bugzilla": {"description": "kernel: bpf: Fix array bounds error with may_goto", "id": "2360217", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360217"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "verified"}, "cwe": "CWE-125", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fix array bounds error with may_goto\nmay_goto uses an additional 8 bytes on the stack, which causes the\ninterpreters[] array to go out of bounds when calculating index by\nstack_size.\n1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT\ncases, reject loading directly.\n2. For non-JIT cases, calculating interpreters[idx] may still cause\nout-of-bounds array access, and just warn about it.\n3. For jit_requested cases, the execution of bpf_func also needs to be\nwarned. So move the definition of function __bpf_prog_ret0_warn out of\nthe macro definition CONFIG_BPF_JIT_ALWAYS_ON."], "name": "CVE-2025-22087", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22087\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22087\nhttps://lore.kernel.org/linux-cve-announce/2025041616-CVE-2025-22087-d711@gregkh/T"], "threat_severity": "Moderate"}

{}