Vulnerability DatabaseCVE-2025-37939

CVE-2025-37939:
Linux Ubuntu vulnerability analysis and mitigation

Overview

A vulnerability (CVE-2025-37939) was identified in the Linux kernel's libbpf component, specifically in the btf_ext_parse_info() function. The vulnerability was discovered and reported by the OSS Fuzz project and disclosed on May 20, 2025. The issue affects the BTF.ext core_relo header processing in the Linux kernel (NVD, Wiz).

Technical details

The vulnerability exists in the btf_ext_parse_info() function where it fails to properly validate the presence of the core_relo header before attempting to read its fields. This oversight can lead to a potential buffer read overflow condition. According to Red Hat's assessment, the vulnerability has been assigned a CVSS 3.1 base score of 5.5 with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

Impact

The vulnerability could potentially lead to a buffer read overflow, which might allow attackers to access memory contents beyond the intended boundaries. This could result in information disclosure or system instability (Wiz).

Mitigation and workarounds

The vulnerability has been resolved in the Linux kernel through a patch that updates the btf_ext_parse_info() function to properly verify the presence of the core_relo header before accessing its fields (NVD).

Additional resources

Source: This report was generated using AI

Related Linux Ubuntu vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-21441	HIGH	8.9	Python	barman	No	Yes	Jan 07, 2026
CVE-2025-68766	HIGH	7.1	Linux Debian	linux-gcp-fips	No	Yes	Jan 05, 2026
CVE-2025-68765	MEDIUM	5.5	Linux Debian	linux-lowlatency	No	Yes	Jan 05, 2026
CVE-2025-68764	MEDIUM	5.5	Linux Kernel	linux-realtime	No	Yes	Jan 05, 2026
CVE-2025-68763	MEDIUM	5.5	Linux Debian	linux-gcp	No	Yes	Jan 05, 2026