CVE-2025-29481

Publication date 7 April 2025

Last updated 5 June 2025


Ubuntu priority

Cvss 3 Severity Score

6.2 · Medium

Score breakdown

Buffer Overflow vulnerability in libbpf 1.5.0 allows a local attacker to execute arbitrary code via the bpf_object__init_prog` function of libbpf.

Read the notes from the security team

Status

Package Ubuntu Release Status
dwarves-dfsg 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal
Vulnerable, fix deferred
18.04 LTS bionic
Vulnerable, fix deferred
16.04 LTS xenial
Vulnerable, fix deferred
libbpf 25.04 plucky
Vulnerable, fix deferred
24.10 oracular
Vulnerable, fix deferred
24.04 LTS noble
Vulnerable, fix deferred
22.04 LTS jammy
Vulnerable, fix deferred
20.04 LTS focal
Vulnerable, fix deferred

Notes


0xnishit

dwarves-dfsg embedded statically linked copy of libbpf 0.4


mdeslaur

Per this upstream thread, the security implication of this issue is disputed, so this CVE is likely to get disputed also: https://lore.kernel.org/bpf/CAEf4Bzb2S+1TonOp9UH86r0e6aGG2LEA4kwbQhJWr=9Xju=NEw@mail.gmail.com/ https://lore.kernel.org/bpf/67b2be76-e1db-4163-995c-57073f127d7a@redhat.com/ Deferring for now until the CVE is disputed

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
libbpf

Severity score breakdown

Parameter Value
Base score 6.2 · Medium
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H