CVE-2025-37963: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37963 is a vulnerability discovered in the Linux kernel related to the mitigation of cBPF (classic Berkeley Packet Filter) programs loaded by unprivileged users. The vulnerability was published on May 20, 2025, and specifically affects the ARM64 architecture implementation of BPF in the Linux kernel (NVD, Wiz).

The vulnerability stems from the way the Linux kernel handles BPF program mitigations, specifically involving the mitigation of Branch History Buffer (BHB) attacks for cBPF programs. The current implementation unnecessarily mitigates cBPF programs loaded by privileged users, even though these users can load the same program via eBPF (extended Berkeley Packet Filter), making the mitigation redundant. The vulnerability has received a CVSS 3.1 score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (RedHat).

The impact of this vulnerability appears to be limited since it primarily affects the efficiency of security mitigations rather than introducing new security risks. The issue involves unnecessary mitigations being applied to privileged user operations, which could potentially impact system performance but does not directly compromise security (Wiz).

The vulnerability has been resolved in the Linux kernel by modifying the mitigation strategy to only apply to cBPF programs that were loaded by unprivileged users. This targeted approach ensures that necessary security measures are maintained while eliminating redundant mitigations for privileged operations. For Debian's stable distribution (bookworm), these problems have been fixed in version 6.1.140-1 (Debian).