Format String Vulnerability in Linux Kernel Affects BPF Trace Functionality
CVE-2025-38528

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 16 August 2025

What is CVE-2025-38528?

A format string vulnerability in the Linux kernel's BPF functions allows for improper handling of input resulting in kernel warnings. Specifically, the bpf_trace_printk function fails to reject an unsupported format string that contains multiple '%' characters. This oversight can lead to runtime warnings as the BPF program fails to process the input correctly, risking system stability. A patch has been applied to ensure that such format strings are appropriately rejected, enhancing the robustness of BPF functionalities.

Affected Version(s)

Linux 48cac3f4a96ddf08df8e53809ed066de0dc93915 < 61d5fa45ed13e42af14c7e959baba9908b8ee6d4

Linux 48cac3f4a96ddf08df8e53809ed066de0dc93915

Linux 48cac3f4a96ddf08df8e53809ed066de0dc93915 < 6952aeace93f8c9ea01849efecac24dd3152c9c9

References

https://git.kernel.org/stable/c/61d5fa45ed13e42af14c7e959...

https://git.kernel.org/stable/c/e7be679124bae8cf4fa6e40d7...

https://git.kernel.org/stable/c/6952aeace93f8c9ea01849efe...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 16, 2025
Vulnerability Reserved
Apr 16, 2025