CVE-2020-27170 Overview
CVE-2020-27170 is a side-channel vulnerability in the Linux kernel's Berkeley Packet Filter (BPF) verifier. The flaw exists in kernel/bpf/verifier.c in versions before 5.11.8. The verifier performs out-of-bounds speculation on pointer arithmetic for pointer types that do not define a ptr_limit. Attackers can exploit this behavior to defeat existing Spectre v1 mitigations and read sensitive data from kernel memory via cache-based side channels. The issue is tracked as commit ID f232326f6966 and is classified under [CWE-203] (Observable Discrepancy).
Critical Impact
Local unprivileged users can leak arbitrary kernel memory contents, including credentials and cryptographic material, by abusing BPF speculative execution.
Affected Products
- Linux kernel versions prior to 5.11.8
- Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, and 20.04 LTS
- Debian Linux 9 and Fedora 32, 33, 34
Discovery Timeline
- 2021-03-19 - Issue disclosed on the OpenWall oss-security mailing list
- 2021-03-20 - CVE-2020-27170 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-27170
Vulnerability Analysis
The Linux BPF subsystem allows unprivileged users to load programs that execute in kernel context after passing static analysis by the verifier. The verifier enforces bounds checks on pointer arithmetic to prevent out-of-bounds memory access. However, the verifier did not apply a ptr_limit to certain pointer types, including stack and map value pointers in specific code paths.
Attackers can craft a BPF program where the CPU speculatively executes pointer arithmetic that exceeds permitted bounds. While the architectural result is discarded, the speculative load leaves microarchitectural state in the CPU cache. The attacker then measures cache timing to recover the leaked kernel memory byte-by-byte. This bypasses the Spectre v1 hardening added in earlier kernel patches.
Root Cause
The root cause is incomplete coverage of speculative pointer arithmetic sanitization in the BPF verifier. The sanitize_ptr_alu() function failed to enforce a speculative bound for pointer types lacking an explicit ptr_limit definition. Without this limit, the verifier accepted programs that could speculate well past the intended object boundary.
Attack Vector
Exploitation requires local access and the ability to load BPF programs, which on many distributions is permitted to unprivileged users when kernel.unprivileged_bpf_disabled=0. The attacker loads a specially crafted BPF program that trains the branch predictor and then performs speculative out-of-bounds pointer arithmetic on a controlled offset. A FLUSH+RELOAD or similar cache side-channel primitive recovers the speculatively accessed bytes. No remote network exposure exists; the attack vector is strictly local.
No public proof-of-concept exploit code is referenced in the vendor advisories. See the Linux Kernel Commit f232326f for the upstream fix and the OpenWall OSS Security Update for the original disclosure.
Detection Methods for CVE-2020-27170
Indicators of Compromise
- Unprivileged processes invoking the bpf() syscall with BPF_PROG_LOAD for socket filter or tracing program types from non-root users
- Repeated BPF program load attempts followed by high-resolution timing operations such as rdtsc in user space
- Anomalous cache-flush instructions (clflush) executed from low-privilege workloads
Detection Strategies
- Audit kernel versions across the fleet and flag any host running a Linux kernel earlier than 5.11.8 without distribution backports applied
- Monitor auditd rules that record bpf syscalls and correlate program loads with the loading UID and program type
- Detect tampering with /proc/sys/kernel/unprivileged_bpf_disabled that re-enables unprivileged BPF after hardening
Monitoring Recommendations
- Forward kernel audit logs and BPF program load events to a centralized SIEM for retention and correlation
- Alert on local privilege-escalation precursors, including unusual BPF activity from service accounts or container workloads
- Track patch state via package inventory and compare against the fixed kernel versions listed in vendor advisories
How to Mitigate CVE-2020-27170
Immediate Actions Required
- Update affected systems to Linux kernel 5.11.8 or later, or apply the distribution-supplied backport from Ubuntu, Debian, or Fedora
- Set kernel.unprivileged_bpf_disabled=1 via sysctl to prevent unprivileged users from loading BPF programs until patching completes
- Inventory containerized hosts and confirm the host kernel, not the container image, is patched
Patch Information
The upstream fix is included in the Linux 5.11.8 release. Review the Linux Kernel ChangeLog 5.11.8 and the corresponding commit f232326f6966cf2a1d1db7bc917a4ce5f9f55f76. Distribution-specific patches are available via the Debian LTS Announcement, the Fedora Package Announcement, and the Ubuntu Kernel Live Patch LSN-0075-1.
Workarounds
- Disable unprivileged BPF loading via sysctl -w kernel.unprivileged_bpf_disabled=1 and persist the setting in /etc/sysctl.d/
- Restrict the CAP_BPF and CAP_SYS_ADMIN capabilities to trusted service accounts only
- Apply Ubuntu Livepatch where rebooting affected hosts is not immediately feasible
# Configuration example
# Disable unprivileged BPF until kernel patch is applied
echo 'kernel.unprivileged_bpf_disabled=1' | sudo tee /etc/sysctl.d/90-bpf-hardening.conf
sudo sysctl --system
# Verify current kernel version meets the fix threshold
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
