CVE-2024-58100: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's BPF subsystem was identified and resolved (CVE-2024-58100). The issue was discovered on May 5, 2025, and involves the verification of the changespktdata property for extension programs. This vulnerability affects the Linux kernel's packet processing functionality when handling global sub-programs (NVD, RedHat).

The vulnerability occurs during the processing of calls to global sub-programs, where the verifier determines whether to invalidate all packet pointers in the current state based on the changespktdata property of the global sub-program. The issue specifically relates to extension programs replacing global sub-programs, which must maintain compatibility with the changespktdata property of the sub-program being replaced. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (RedHat).

The vulnerability could potentially affect the integrity of packet processing in the Linux kernel. According to the CVSS metrics, while there is no impact on confidentiality or integrity, there is a high impact on availability when successfully exploited (RedHat).

The vulnerability has been resolved through a patch that adds a changespktdata flag to struct bpfprogaux, sets this flag in checkcfg() for the main sub-program and in jitsubprogs() for other sub-programs, modifies bpfcheckattachbtfid() to check the changespktdata flag, and reorders the call sequence in the verification process (NVD).