Bug 2414474 (CVE-2025-40169)

Summary: CVE-2025-40169 kernel: bpf: Reject negative offsets for ALU ops
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A validation logic error was found in the Linux kernel's BPF verifier when checking ALU operation offsets. A local user with BPF privileges can trigger this issue by loading BPF programs containing ALU instructions with negative offset values. The verifier's check only rejected offsets greater than 1, incorrectly accepting all negative values due to signed comparison semantics. This allows malformed BPF programs to pass verification and potentially cause undefined behavior or crashes, resulting in denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-11-12 11:02:01 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject negative offsets for ALU ops

When verifying BPF programs, the check_alu_op() function validates
instructions with ALU operations. The 'offset' field in these
instructions is a signed 16-bit integer.

The existing check 'insn->off > 1' was intended to ensure the offset is
either 0, or 1 for BPF_MOD/BPF_DIV. However, because 'insn->off' is
signed, this check incorrectly accepts all negative values (e.g., -1).

This commit tightens the validation by changing the condition to
'(insn->off != 0 && insn->off != 1)'. This ensures that any value
other than the explicitly permitted 0 and 1 is rejected, hardening the
verifier against malformed BPF programs.
Comment 1 Alexander B 2025-11-13 16:28:37 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025111259-CVE-2025-40169-c29b@gregkh/T