CVE-2025-40123

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel’s BPF subsystem contains an issue where the expected attach type is not properly enforced for tailcall compatibility. A fuzzer tool discovered an uninitialized pointer issue in the bpf prog test run xdp() function, leading to a potential NULL pointer dereference when a BPF program attempts to access the txq member of a struct xdp buff object. This occurs when a BPF program of type BPF PROG TYPE XDP calls into a tailcall map it owns, and the expected attach type is not correctly validated. The issue extends beyond XDP programs to include types like BPF PROG TYPE CGROUP SOCK ADDR. The expected attach type allows for additional functionality or restrictions beyond the basic bpf prog type, and tailcalls must not violate these constraints. The issue is addressed by enforcing expected attach type in the bpf prog map compatible() function.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.