{ "affected": [ { "ranges": [ { "events": [ { "introduced": "14c8552db64476ffc27c13dc6652fc0dac31c0ba" }, { "fixed": "65eb166b8636365ad3d6e36d50a7c5edfe6cc66e" }, { "fixed": "261b30ad1516f4b9edd500aa6e8d6315c8fc109a" }, { "fixed": "3157f7e2999616ac91f4d559a8566214f74000a5" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38607.json" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: handle jset (if a \u0026 b ...) as a jump in CFG computation\n\nBPF_JSET is a conditional jump and currently verifier.c:can_jump()\ndoes not know about that. This can lead to incorrect live registers\nand SCC computation.\n\nE.g. in the following example:\n\n 1: r0 = 1;\n 2: r2 = 2;\n 3: if r1 \u0026 0x7 goto +1;\n 4: exit;\n 5: r0 = r2;\n 6: exit;\n\nW/o this fix insn_successors(3) will return only (4), a jump to (5)\nwould be missed and r2 won't be marked as alive at (3).", "id": "CVE-2025-38607", "modified": "2026-04-01T23:07:47.036954405Z", "published": "2025-08-19T17:03:50.947Z", "references": [ { "type": "WEB", "url": "https://git.kernel.org/stable/c/261b30ad1516f4b9edd500aa6e8d6315c8fc109a" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/3157f7e2999616ac91f4d559a8566214f74000a5" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/65eb166b8636365ad3d6e36d50a7c5edfe6cc66e" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38607.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38607" }, { "type": "PACKAGE", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" } ], "schema_version": "1.7.3", "summary": "bpf: handle jset (if a \u0026 b ...) as a jump in CFG computation" }