CVE-2025-38166: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38166 is a vulnerability discovered in the Linux kernel related to the BPF (Berkeley Packet Filter) and kTLS (Kernel Transport Layer Security) implementation. The vulnerability was disclosed on July 3, 2025, affecting the Linux kernel's sockmap functionality (NVD, CVE).

The vulnerability occurs when calling bpf_exec_tx_verdict(), where the size of msg_pl->sg may increase during BPF program execution of bpf_msg_push_data(). If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, it returns -ENOSPC and attempts to roll back to non-zero copy logic. During rollback, while msg->msg_iter is reset, msg_pl->sg.size remains increased, causing subsequent executions to exceed the actual size of msg_iter (CVE).

The vulnerability results in a kernel panic at lib/iov_iter.c:629, potentially causing system crashes and service disruption. This affects systems using BPF programs with kTLS and sockmap functionality (Debian Tracker).

Fixed versions have been released for various Linux distributions. Debian has addressed this in version 6.12.35-1 for trixie and 6.12.37-1 for sid. The fix involves modifying the handling of cork_bytes situations to directly use zero-copy logic instead of attempting rollback to non-zero copy logic (Debian Tracker).