CVE-2020-8835

Public Exploit
Linux kernel bpf verifier vulnerability

Description

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

Remediation

Solution:

  • Revert commit 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions").

Workaround:

  • Mitigation for this vulnerability is available by setting the kernel.unprivileged_bpf_disabled sysctl to 1: $ sudo sysctl kernel.unprivileged_bpf_disabled=1 $ echo kernel.unprivileged_bpf_disabled=1 | sudo tee /etc/sysctl.d/90-CVE-2020-8835.conf This issue is also mitigated on systems that use secure boot with the kernel lockdown feature which blocks BPF program loading.

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 26.85% Top 5%
Vendor Advisory ubuntu.com Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory kernel.org Vendor Advisory kernel.org
Affected: Linux kernel Linux kernel
Published at:
Updated at:

References

Link Tags
https://usn.ubuntu.com/4313-1/ third party advisory vendor advisory
https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results third party advisory
https://lore.kernel.org/bpf/20200330160324.15259-1-daniel%40iogearbox.net/T/
https://www.openwall.com/lists/oss-security/2020/03/30/3 patch mailing list third party advisory
https://usn.ubuntu.com/usn/usn-4313-1 third party advisory
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef patch vendor advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef patch vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/ vendor advisory
https://security.netapp.com/advisory/ntap-20200430-0004/ third party advisory
http://www.openwall.com/lists/oss-security/2021/07/20/1 mailing list third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2020-8835?
CVE-2020-8835 has been scored as a high severity vulnerability.
How to fix CVE-2020-8835?
To fix CVE-2020-8835: Revert commit 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions").
Is CVE-2020-8835 being actively exploited in the wild?
It is possible that CVE-2020-8835 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~27% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-8835?
CVE-2020-8835 affects Linux kernel Linux kernel.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.