CVE-2025-38502: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2025-38502) has been identified involving an out-of-bounds access in cgroup local storage that can be crafted via tail calls. The issue was discovered by Lonial and affects multiple Linux distributions including bullseye, bookworm, trixie, forky, and sid, where it remains in a vulnerable state (Debian Tracker).

The vulnerability occurs when two programs each utilize a cgroup local storage with different value sizes, and one program performs a tail call into the other. While the verifier validates each individual program correctly, the runtime context bpfcgrunctx holds a bpfprogarrayitem containing the BPF program and its cgroup local storage flavor. The bpfgetlocal_storage() helper picks up the former program's map instead of its own from the runtime context, leading to an unintended out-of-bounds access when sizes mismatch (NVD).

When exploited, this vulnerability can result in out-of-bounds memory access, potentially leading to memory corruption and system instability. The issue affects the Linux kernel's cgroup functionality, which is critical for resource management and isolation (NVD).

To address this vulnerability, the bpfmapowner needs to be extended with an array of storagecookie[] to match either the exact maps from the original program if the second program uses bpfgetlocalstorage(), or allow the tail call combination if the second program does not use any cgroup local storage maps (NVD).