{
  "threat_severity" : "Low",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bpf, arm64: Fixed a BTI error on returning to patched function",
    "id" : "2402271",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402271"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf, arm64: Fixed a BTI error on returning to patched function\nWhen BPF_TRAMP_F_CALL_ORIG is set, BPF trampoline uses BLR to jump\nback to the instruction next to call site to call the patched function.\nFor BTI-enabled kernel, the instruction next to call site is usually\nPACIASP, in this case, it's safe to jump back with BLR. But when\nthe call site is not followed by a PACIASP or bti, a BTI exception\nis triggered.\nHere is a fault log:\nUnhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI\nCPU: 0 PID: 263 Comm: test_progs Tainted: GF\nHardware name: linux,dummy-virt (DT)\npstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c)\npc : bpf_fentry_test1+0xc/0x30\nlr : bpf_trampoline_6442573892_0+0x48/0x1000\nsp : ffff80000c0c3a50\nx29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000\nx26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050\nx23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a\nx20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101\nx5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001\nx2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001\nKernel panic - not syncing: Unhandled exception\nCPU: 0 PID: 263 Comm: test_progs Tainted: GF\nHardware name: linux,dummy-virt (DT)\nCall trace:\ndump_backtrace+0xec/0x144\nshow_stack+0x24/0x7c\ndump_stack_lvl+0x8c/0xb8\ndump_stack+0x18/0x34\npanic+0x1cc/0x3ec\n__el0_error_handler_common+0x0/0x130\nel1h_64_sync_handler+0x60/0xd0\nel1h_64_sync+0x78/0x7c\nbpf_fentry_test1+0xc/0x30\nbpf_fentry_test1+0xc/0x30\nbpf_prog_test_run_tracing+0xdc/0x2a0\n__sys_bpf+0x438/0x22a0\n__arm64_sys_bpf+0x30/0x54\ninvoke_syscall+0x78/0x110\nel0_svc_common.constprop.0+0x6c/0x1d0\ndo_el0_svc+0x38/0xe0\nel0_svc+0x30/0xd0\nel0t_64_sync_handler+0x1ac/0x1b0\nel0t_64_sync+0x1a0/0x1a4\nKernel Offset: disabled\nCPU features: 0x0000,00034c24,f994fdab\nMemory Limit: none\nAnd the instruction next to call site of bpf_fentry_test1 is ADD,\nnot PACIASP:\n<bpf_fentry_test1>:\nbti     c\nnop\nnop\nadd     w0, w0, #0x1\npaciasp\nFor BPF prog, JIT always puts a PACIASP after call site for BTI-enabled\nkernel, so there is no problem. To fix it, replace BLR with RET to bypass\nthe branch target check.", "A control-flow integrity flaw was found in the Linux kernel on the arm64 architecture within the extended Berkeley Packet Filter trampoline return path. Returning to a patched function with an instruction sequence that fails the branch-target security check can trigger an exception and panic. \nA local user could use this flaw to crash the system when attaching programs that patch kernel call sites, resulting in a denial of service." ],
  "statement" : "When the trampoline is configured to call the original function, it used an indirect branch back to the instruction after the call site. On arm64 systems with branch target enforcement, if that instruction is not one of the expected landing pads, the hardware raises an exception. The fix switches to a return instruction so the hardware recognizes a valid return target.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53634\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53634\nhttps://lore.kernel.org/linux-cve-announce/2025100714-CVE-2023-53634-8155@gregkh/T" ],
  "name" : "CVE-2023-53634",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module bpf from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}