CVE-2025-40123: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability has been discovered in the Linux kernel's BPF subsystem (CVE-2025-40123), identified on November 12, 2025. The issue involves improper enforcement of expectedattachtype for tailcall compatibility, affecting the Linux kernel's BPF (Berkeley Packet Filter) subsystem (NVD).

The vulnerability stems from an uninitialized pointer issue in the bpfprogtestrunxdp() function within the Linux kernel's BPF subsystem. When a BPF program attempts to dereference the txq member of struct xdpbuff object, it can lead to a NULL pointer dereference. The issue involves two programs of BPFPROGTYPEXDP where progA acts as the entry point and progB's expectedattachtype must be BPFXDPDEVMAP to pass validation. The vulnerability extends to programs of type BPFPROGTYPECGROUPSOCKADDR, where sockaddrisvalidaccess() and sockaddrfuncproto() have different logic depending on the programs' expectedattachtype (NVD).

The vulnerability could potentially lead to security constraints being bypassed through tailcall operations. For example, a program attached to BPFCGROUPINET4GETPEERNAME could perform unauthorized operations by tailcalling into a program that calls bpfbind(), which should only be enabled for BPFCGROUPINET4_CONNECT (NVD).

The vulnerability has been addressed by enforcing expectedattachtype checks in _bpfprogmapcompatible(). The fix has been implemented in the Linux kernel, and the patch is available through various distribution updates, including Debian's linux-6.1 version 6.1.158-1~deb11u1 (Debian LTS).