Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71129

CVE-2025-71129: Linux Kernel Privilege Escalation Flaw

CVE-2025-71129 is a privilege escalation vulnerability in the Linux kernel affecting LoongArch BPF kfunc calls. Improper sign extension can lead to kernel panic. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-71129 Overview

A vulnerability has been identified in the Linux kernel affecting the LoongArch architecture's BPF (Berkeley Packet Filter) subsystem. The issue stems from improper sign extension of kfunc (kernel function) call arguments, which violates LoongArch calling conventions. When kfunc calls are made without proper sign extension of arguments, the system may experience a kernel panic, leading to system instability or denial of service conditions.

Critical Impact

Improper sign extension in LoongArch BPF kfunc calls can trigger kernel panics, potentially causing denial of service on affected Linux systems running LoongArch architecture.

Affected Products

  • Linux kernel with LoongArch architecture support
  • Systems utilizing BPF programs with kfunc calls on LoongArch
  • Linux kernel versions prior to the security patches

Discovery Timeline

  • 2026-01-14 - CVE CVE-2025-71129 published to NVD
  • 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-71129

Vulnerability Analysis

This vulnerability is classified as a Sign Extension Error affecting the Linux kernel's BPF subsystem on the LoongArch architecture. The kfunc calls in BPF programs are native kernel function calls that must adhere to the LoongArch Application Binary Interface (ABI) calling conventions. The vulnerability occurs because arguments passed to kfunc calls were not being properly sign-extended before the call was made.

The LoongArch architecture requires that function arguments follow specific sign extension rules as part of its calling conventions. When BPF programs invoke kernel functions (kfuncs), these native calls must properly extend values already stored in registers to maintain compatibility with the kernel's expected argument format. Failure to do so can result in corrupted argument values being passed to kernel functions, leading to undefined behavior and kernel panics.

Root Cause

The root cause of this vulnerability lies in the BPF JIT (Just-In-Time) compiler for LoongArch not implementing proper sign extension for kfunc call arguments. The existing sign_extend() helper function could not be reused for this purpose because it operates differently than what was needed. The fix introduces a new emit_abi_ext() helper that performs in-place extension on values already stored in target registers, ensuring compliance with LoongArch calling conventions.

Attack Vector

Exploitation of this vulnerability requires the ability to load and execute BPF programs on an affected LoongArch system. An attacker with sufficient privileges to load BPF programs could craft a malicious BPF program that triggers kfunc calls with improperly extended arguments, potentially causing kernel panics and denial of service. The attack vector is local, requiring some level of access to the target system to load BPF programs.

The vulnerability manifests when BPF programs make kfunc calls without proper argument sign extension. The fix implements a new emit_abi_ext() helper function that properly extends values in registers according to LoongArch ABI requirements. For detailed implementation, refer to the kernel git commits.

Detection Methods for CVE-2025-71129

Indicators of Compromise

  • Unexpected kernel panics on LoongArch systems, particularly when BPF programs are in use
  • System crashes occurring during BPF program execution involving kfunc calls
  • Kernel log entries indicating argument corruption or unexpected behavior in BPF-related code paths

Detection Strategies

  • Monitor kernel logs for BPF-related crashes or panics on LoongArch systems
  • Audit running BPF programs and their kfunc call patterns
  • Implement kernel crash dump analysis to identify BPF-related failures

Monitoring Recommendations

  • Enable kernel crash dump collection to capture diagnostic information during panics
  • Monitor system stability metrics on LoongArch systems running BPF programs
  • Review kernel audit logs for unusual BPF program loading activity

How to Mitigate CVE-2025-71129

Immediate Actions Required

  • Update the Linux kernel to a patched version that includes the emit_abi_ext() fix
  • Review and limit BPF program loading privileges on affected LoongArch systems
  • Consider temporarily disabling untrusted BPF programs until patches are applied

Patch Information

The vulnerability has been addressed through multiple kernel commits that introduce the emit_abi_ext() helper function for proper sign extension of kfunc call arguments. The patches are available through the following kernel git commits:

Workarounds

  • Restrict BPF program loading to trusted users only using kernel.unprivileged_bpf_disabled sysctl
  • Monitor and audit BPF programs that utilize kfunc calls on LoongArch systems
  • Consider disabling BPF JIT compilation temporarily if patches cannot be immediately applied
bash
# Restrict unprivileged BPF program loading
sysctl -w kernel.unprivileged_bpf_disabled=1

# Make the setting persistent across reboots
echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.