CVE-2025-38280

bpf: Avoid __bpf_prog_ret0_warn when jit fails

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE
TN

In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Modules linked in:
CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39
RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 ... When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable.
This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set
and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog,
but jit failed due to FAULT_INJECTION. As a result, incorrectly
treats the program as valid, when the program runs it calls
`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).

In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Modules linked in: CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 ... When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable. This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog, but jit failed due to FAULT_INJECTION. As a result, incorrectly treats the program as valid, when the program runs it calls `__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-07-10 CVE Published
2025-07-10 CVE Updated
2025-07-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/fa9dd599b4dae841924b022768354cfde9affecb	Vuln. Introduced
https://git.kernel.org/stable/c/5124abda3060e2eab506fb14a27acadee3c3e396	Vuln. Introduced
https://git.kernel.org/stable/c/234646dcfc5f531c74ab20595e89eacd62e3611f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/e7fb4ebee6e900899d2b2e5852c3e2eafcbcad66	2025-06-27
https://git.kernel.org/stable/c/ef92b96530d1731d9ac167bc7c193c683cd78fff	2025-06-27
https://git.kernel.org/stable/c/6f639c25bfad17d9fd7379ab91ff9678ea9aac85	2025-06-19
https://git.kernel.org/stable/c/2bc6dffb4b72d53d6a6ada510269bf548c3f7ae0	2025-06-19
https://git.kernel.org/stable/c/0b9bb52796b239de6792d0d68cdc6eb505ebff96	2025-06-19
https://git.kernel.org/stable/c/86bc9c742426a16b52a10ef61f5b721aecca2344	2025-05-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 5.15.186 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 5.15.186"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 6.1.142 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 6.1.142"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 6.6.94 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 6.6.94"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 6.12.34 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 6.12.34"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 6.15.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 6.15.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 6.16-rc1 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 6.16-rc1"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.9.190 Search vendor "Linux" for product "Linux Kernel" and version "4.9.190"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.140 Search vendor "Linux" for product "Linux Kernel" and version "4.14.140"		en		Affected