CVE-2025-22048: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-22048 is a vulnerability discovered in the Linux kernel, specifically affecting the LoongArch BPF (Berkeley Packet Filter) subsystem. The vulnerability was disclosed on April 16, 2025, and involves an issue where the subprogram's return value is incorrectly overridden (NVD, RedHat).

The vulnerability occurs when the verifier test 'calls: div by 0 in subprog' triggers a panic at the ld.bu instruction. The issue stems from the ld.bu instruction attempting to load a byte from a memory address returned by the subprogram. While the subprogram correctly sets the address in the a5 register (dedicated for BPF return values), a previous commit (73c359d1d356) introduced sign extension of a5 to the a0 register. This causes incorrect propagation of the a0 register back to a5 register for bpf2bpf calls, which expect zero-extended return values. The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (RedHat).

The vulnerability can result in a system panic when specific BPF operations are performed, potentially leading to a denial of service condition. The impact is primarily limited to availability, with no direct impact on confidentiality or integrity of the system (RedHat).

The vulnerability has been fixed in Linux kernel version 6.12.25-1 for Debian systems. Various distributions have released patches, with some versions being marked as not affected. For instance, Red Hat Enterprise Linux 6, 7, 8, and 9 are not affected by this vulnerability (Debian, RedHat).