Byeonguk Jeong

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.61 **Description** The issue is related to an out-of-bounds write in the `trie get next key()` function in the Linux kernel's `bpf` module. This occurs when the function allocates a node stack with size `trie->max prefixlen` but writes `(trie->max prefixlen + 1)` nodes to the stack when it has full paths from the root to leaves. For example, in a trie with `max prefixlen` set to 8 and nodes with keys 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted, subsequent calls to `trie get next key()` with a key having `.prefixlen = 8` can cause 9 nodes to be written on the node stack with size 8. This can potentially impact the confidentiality, integrity, and availability of protected information. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.61 or later. As a temporary workaround, consider restricting the use of the `trie get next key()` function until a patch is available. Avoid using the `trie get next key()` function with keys that have a `.prefixlen` equal to `trie->max prefixlen` to minimize the risk of exploitation.