CVE-2025-71129 Overview
A vulnerability has been identified in the Linux kernel affecting the LoongArch architecture's BPF (Berkeley Packet Filter) subsystem. The issue stems from improper sign extension of kfunc (kernel function) call arguments, which violates LoongArch calling conventions. When kfunc calls are made without proper sign extension of arguments, the system may experience a kernel panic, leading to system instability or denial of service conditions.
Critical Impact
Improper sign extension in LoongArch BPF kfunc calls can trigger kernel panics, potentially causing denial of service on affected Linux systems running LoongArch architecture.
Affected Products
- Linux kernel with LoongArch architecture support
- Systems utilizing BPF programs with kfunc calls on LoongArch
- Linux kernel versions prior to the security patches
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71129 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-71129
Vulnerability Analysis
This vulnerability is classified as a Sign Extension Error affecting the Linux kernel's BPF subsystem on the LoongArch architecture. The kfunc calls in BPF programs are native kernel function calls that must adhere to the LoongArch Application Binary Interface (ABI) calling conventions. The vulnerability occurs because arguments passed to kfunc calls were not being properly sign-extended before the call was made.
The LoongArch architecture requires that function arguments follow specific sign extension rules as part of its calling conventions. When BPF programs invoke kernel functions (kfuncs), these native calls must properly extend values already stored in registers to maintain compatibility with the kernel's expected argument format. Failure to do so can result in corrupted argument values being passed to kernel functions, leading to undefined behavior and kernel panics.
Root Cause
The root cause of this vulnerability lies in the BPF JIT (Just-In-Time) compiler for LoongArch not implementing proper sign extension for kfunc call arguments. The existing sign_extend() helper function could not be reused for this purpose because it operates differently than what was needed. The fix introduces a new emit_abi_ext() helper that performs in-place extension on values already stored in target registers, ensuring compliance with LoongArch calling conventions.
Attack Vector
Exploitation of this vulnerability requires the ability to load and execute BPF programs on an affected LoongArch system. An attacker with sufficient privileges to load BPF programs could craft a malicious BPF program that triggers kfunc calls with improperly extended arguments, potentially causing kernel panics and denial of service. The attack vector is local, requiring some level of access to the target system to load BPF programs.
The vulnerability manifests when BPF programs make kfunc calls without proper argument sign extension. The fix implements a new emit_abi_ext() helper function that properly extends values in registers according to LoongArch ABI requirements. For detailed implementation, refer to the kernel git commits.
Detection Methods for CVE-2025-71129
Indicators of Compromise
- Unexpected kernel panics on LoongArch systems, particularly when BPF programs are in use
- System crashes occurring during BPF program execution involving kfunc calls
- Kernel log entries indicating argument corruption or unexpected behavior in BPF-related code paths
Detection Strategies
- Monitor kernel logs for BPF-related crashes or panics on LoongArch systems
- Audit running BPF programs and their kfunc call patterns
- Implement kernel crash dump analysis to identify BPF-related failures
Monitoring Recommendations
- Enable kernel crash dump collection to capture diagnostic information during panics
- Monitor system stability metrics on LoongArch systems running BPF programs
- Review kernel audit logs for unusual BPF program loading activity
How to Mitigate CVE-2025-71129
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the emit_abi_ext() fix
- Review and limit BPF program loading privileges on affected LoongArch systems
- Consider temporarily disabling untrusted BPF programs until patches are applied
Patch Information
The vulnerability has been addressed through multiple kernel commits that introduce the emit_abi_ext() helper function for proper sign extension of kfunc call arguments. The patches are available through the following kernel git commits:
Workarounds
- Restrict BPF program loading to trusted users only using kernel.unprivileged_bpf_disabled sysctl
- Monitor and audit BPF programs that utilize kfunc calls on LoongArch systems
- Consider disabling BPF JIT compilation temporarily if patches cannot be immediately applied
# Restrict unprivileged BPF program loading
sysctl -w kernel.unprivileged_bpf_disabled=1
# Make the setting persistent across reboots
echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
