Analysis o he eBPF Vulne abili ies in he Linux
Ke nel
Rosa io Rizza1,2[0009−0009−0498−8304], Ricca do Sis o1,3[0000−0002−3142−2383],
and Ful io Valenza1,4[0000−0002−8471−3029]
1DAUIN, Poli ecnico di To ino, Tu in, I aly
2[email p o ec ed]
3[email p o ec ed]
4[email p o ec ed]
Abs ac . eBPF has become a undamen al pa o mode n Linux, o -
e ing in-ke nel p og ammabili y o ne wo king, obse abili y, and se-
cu i y asks. I s apid expansion, howe e , has enla ged he ke nel’s a -
ack su ace—pa icula ly in secu i y-c i ical componen s such as he
e i ie —whe e equen ulne abili ies ha e been epo ed. These laws
pose signi ican isks o ke nel s abili y and secu i y. This pape con-
duc s a s udy o 249 eBPF- ela ed Common Vulne abili ies and Expo-
su es (CVE) eco ds published be ween 2014 and Ap il 2025, conside ing
Common Weakness Enume a ion (CWE) ags, Common Vulne abili y
Sco ing Sys em (CVSS) se e i y me ics, ke nel- e sion mappings, im-
ing, and mo e, enabling a comp ehensi e iew o long- e m ends. Ou
in es iga ion ocuses on he empo al e olu ion o eBPF- ela ed ulne -
abili ies, how long hey emain unpa ched, whe e hey occu wi hin he
eBPF subsys em, wha coding laws cause hem, and how se e e and
impac ul hey a e.
Keywo ds: eBPF ·CVE ·Linux Ke nel ·Secu i y ·Vulne abili y Analysis ·
Ve i ie
1 In oduc ion
The ex ended Be keley Packe Fil e (eBPF) has apidly e ol ed om a packe
il e ing mechanism in o a gene al-pu pose execu ion en i onmen embedded
wi hin he Linux ke nel. I powe s applica ions anging om low-le el obse abil-
i y ools (e.g., bcc,bp ace) o secu i y amewo ks (e.g., seccomp il e ing)
and high-pe o mance ne wo king (e.g., XDP, Cilium). I s e sa ili y, pe o -
mance, and low-le el in eg a ion wi h he ke nel ha e a o ed widesp ead adop-
ion and inc eased i s popula i y.
Howe e , he inc easing p og ammabili y o he ke nel comes a a cos : a
b oade a ack su ace. Despi e signi ican enginee ing e o s o ha den he
eBPF un ime, ulne abili ies con inue o be disco e ed egula ly. A be e un-
de s anding o whe e, why, and how hese bugs occu is essen ial o imp o ing
2 Rosa io Rizza, Ricca do Sis o, and Ful io Valenza
he secu i y o he ke nel as a whole. The eBPF communi y is qui e ac i e in he
secu i y ield, and nume ous pape s ha e been published o desc ibe he ulne a-
bili ies o eBPF. Howe e , al hough he analysis o Common Vulne abili ies and
Exposu es (CVEs) da abase eco ds is known o be use ul o p o ide insigh s
in o speci ic classes o secu i y issues, his kind o analysis has been done only o
a limi ed ex en o eBPF- ela ed ulne abili ies: Mohamed e al. [10] s udied 18
eBPF- ela ed CVEs published in a limi ed ime ange o jus i y he de elopmen
o a uzze .
This pape pe o ms a mo e ho ough analysis o he 249 eBPF- ela ed CVEs
epo ed be ween 2014 and Ap il 2025. Sec ion 2 si ua es ou wo k wi hin he
exis ing li e a u e; Sec ion 3 summa izes essen ial backg ound; Sec ion 5 ou lines
ou da a-collec ion and analysis me hodology; Sec ion 4 in oduces he esea ch
ques ions, and Sec ion 6 add esses hem, by p o iding insigh s in o he em-
po al and s uc u al beha io o eBPF ulne abili ies; Sec ion 7 concludes and
summa izes he esul s ob ained.
2 Rela ed Wo k
The analysis o CVE eco ds (e.g. [12] [11]) is a common p ac ice o ge insigh s
abou speci ic secu i y issues. To ou knowledge, in he ield o eBPF secu i y, a
pape by Mohamed e al. [10] p esen ed he only p io s udy on eBPF secu i y.
They classi ied 18 eBPF- ela ed CVEs published in he wo yea s p eceding hei
2023 publica ion and showed ha he eBPF e i ie is he eBPF module mos
equen ly comp omised. This s udy was used o mo i a e he de elopmen o
a uzze o de ec new ulne abili ies a ec ing he eBPF e i ie . I is qui e
limi ed because i jus conside s a ew o he many eBPF- ela ed ulne abili ies
published as CVEs and a ew aspec s.
Ou s udy b oadens he p e ious one in se e al ways. Fi s , i enla ges he
analysis ime ange, spanning he en i e public his o y o eBPF CVEs (2014–Ap il
2025). Secondly, i conside s iche me ada a such as CWE ca ego y, CVSS se e -
i y, ulne able ke nel e sions, and mo e, and ela ed s a is ics. Such ex a da a
le s us obse e long- e m ends and gi es a comple e iew o he his o y o he
eBPF subsys em’s secu i y.
Ou s udy ollows an inc easing esea ch in e es in eBPF secu i y, includ-
ing eBPF- ocused uzze s, such as [3] [14], p oposals o ha dening he eBPF
subsys em, such as [17] [2], and p oo -o -concep exploi s o eBPF sys em ul-
ne abili ies, such as [5] [7].
Rela ed wo k on CVE analysis in o he domains — anging om open sou ce
so wa e [11] o IoT i mwa e [12] — demons a es ha simila la ge-scale anal-
yses p o ide aluable insigh s beyond he ke nel con ex .
Analysis o he eBPF Vulne abili ies in he Linux Ke nel 3
3 Backg ound
3.1 eBPF
eBPF (ex ended Be keley Packe Fil e ) [15] is a ligh weigh , in-ke nel echnology
ha allows use -de ined by ecode o be execu ed wi hin he Linux ke nel. O ig-
inally in oduced o packe il e ing, eBPF has e ol ed in o a gene al-pu pose
subsys em ha suppo s a wide ange o use cases, including acing, secu i y
en o cemen , and high-pe o mance ne wo king.
A chi ec u e O e iew An eBPF p og am is ypically loaded om use space
ia he bp () sys em call. Upon loading, he p og am is e i ied by he eBPF
e i ie , which ensu es sa e and secu e execu ion p ope ies such as memo y
sa e y, bounded loops, and sa e access o ke nel da a. Once e i ied, he p og am
may be in e p e ed and execu ed by he eBPF i ual machine, o compiled
o na i e code by a JIT compile , depending on he a chi ec u e and sys em
con igu a ion. P og ams in e ac wi h ke nel subsys ems h ough a es ic ed se
o helpe unc ions, which se e as an API bounda y be ween eBPF code and
ke nel in e nals. In o de o in e ac wi h he use space, special da a s uc u es,
called maps, a e used.
Secu i y Model The eBPF e i ie en o ces a s ic se o ules o gua an-
ee ha p og ams canno c ash he ke nel, access in alid memo y, o pe o m
p i ileged ope a ions. Howe e , due o he complexi y o s a ic e i ica ion and
he e ol ing na u e o eBPF ea u es, he e i ie and ela ed componen s ha e
become a ecu ing sou ce o secu i y ulne abili ies. In some cases, laws in he
e i ie o helpe unc ions ha e allowed unp i ileged use s o escala e p i ileges
o co up ke nel memo y [7].
In o de o un eBPF, he Linux capabili y CAP_BPF is equi ed, wi h addi-
ional capabili ies such as CAP_NET_ADMIN o ne wo king hooks o CAP_PERFMON
o pe o mance acing; while unp i ileged eBPF mode exis s, i is disabled by
de aul on mos mains eam dis ibu ions.
3.2 CVEs
Mode n ulne abili y acking elies on a laye ed axonomy main ained by MITRE
. A he oo si s he Common Vulne abili ies and Exposu es (CVE) lis , which
assigns a unique iden i ie o e e y publicly disclosed secu i y law, ensu ing
ha endo s, esea che s, and ooling e e o he same issue unambiguously [9].
Each CVE eco d is hen o en en iched by wo companion schemes. The Com-
mon Pla o m Enume a ion (CPE) ca alog p o ides a s uc u ed name o e e y
a ec ed p oduc o e sion, allowing a CVE o speci y i s exac impac ange
(e.g. cpe:/o:linux:linux_ke nel:5.15) [8]. Meanwhile, he Common Weak-
ness Enume a ion (CWE) classi ies he unde lying p og amming aul —such as
CWE-119 “Imp ope Memo y Bounds Res ic ion”—so ha analys s can discuss
oo causes independen ly o any pa icula pla o m [1].
4 Rosa io Rizza, Ricca do Sis o, and Ful io Valenza
Linux Ke nel CVE’s managemen The Linux ke nel communi y in eg a es
his in o a de ined disclosu e wo k low [16]. New ke nel issues a e i s epo ed—o en
unde emba go— o he p i a e linux-dis os mailing lis , gi ing majo en-
do s ime o p epa e pa ches. The ke nel secu i y eam hen eques s o euses
a CVE iden i ie and announces he ulne abili y on linux-c e-announce once
a pa ch is a ailable. S able-b anch main aine s back-po he pa ch o all sup-
po ed eleases, while dis ibu o s map he CVE o hei package e sions h ough
CPE names and publish ad iso ies ha e e ence he ele an CWE ca ego y.
4 Resea ch Ques ions
To guide ou analysis o eBPF- ela ed ulne abili ies, we o mula e a se o
a ge ed esea ch ques ions in o de o examine when ulne abili ies appea ,
how hey e ol e ac oss successi e ke nel eleases, and how long hey emain
unpa ched— hus ou lining a imeline o exposu e and emedia ion. In pa allel,
we analyze eBPF ulne abili ies om h ee complemen a y pe spec i es: whe e
hey occu wi hin he subsys em, wha kinds o coding e o s cause hem, and
how se e e o exploi able hey end o be.
– RQ1: Wha is he empo al dis ibu ion o eBPF- ela ed CVEs?
– RQ2: Wha is he end o he numbe o eBPF- ela ed CVEs a ec ing each
Linux ke nel mino e sion?
– RQ3: How long do eBPF- ela ed ulne abili ies emain la en in he Linux
ke nel be o e being pa ched?
– RQ4: Which eBPF modules a e mos a ec ed by eBPF- ela ed CVEs?
– RQ5: Wha a e he mos equen CWE ca ego ies among eBPF- ela ed
CVEs?
– RQ6: How se e e a e eBPF- ela ed ulne abili ies and wha do CVSS ec o
me ics e eal abou hei exploi a ion cha ac e is ics?
5 Me hodology
5.1 Da a Acquisi ion
The i s s ep o ou analysis consis ed o downloading he en i e a chi e o pub-
licly disclosed CVEs om he Na ional Vulne abili y Da abase (NVD), main-
ained by he Na ional Ins i u e o S anda ds and Technology (NIST) [13]. The
da ase used was e ie ed on Ap il 29, 2025, hence i con ained all he CVEs
egis e ed up o ha da e wi h he la es upda es. We pai ed his da a wi h he
Linux o icial gi eposi o y me ada a [6], speci ically wi h he commi his o y
o ex apola e he commi da e and he iles ha we e in ol ed.
Analysis o he eBPF Vulne abili ies in he Linux Ke nel 5
5.2 Da a Classi ica ion and Re inemen
To iden i y eBPF- ela ed ulne abili ies, we i s pe o med a keywo d-based il-
e ing by selec ing all en ies con aining he subs ing bp , which yielded a o al
o 401 CVEs. This aw subse was e ined h ough manual inspec ion, classi ying
each en y as included,ex e nal,o excluded.Ex e nal e e s o ulne abili ies a -
ec ing eBPF- ela ed so wa e ou side he Linux ke nel i sel , such as use -space
ools like Cilium; a o al o 63 o hese CVEs we e ound in he da abase. The
excluded ca ego y includes cases whe e he e m bp appea s only inciden ally,
bu no connec ed o BPF, o whe e eBPF is me ely used as a ec o o igge o
exploi o he ulne abili ies no inhe en o eBPF in e nals. A e his il e ing,
he da ase e ained 249 CVEs o analysis.
6 Resul s and Discussion
In his sec ion, we p esen he esul s o ou analysis and p o ide answe s o
he esea ch ques ions in oduced in he p e ious sec ion. Each answe o he
ques ions con ains a no e on he me hodology used o ex ac he dimension
needed o calcula ing he esul , and he analysis o he ou pu .
6.1 RQ1: Wha is he empo al dis ibu ion o eBPF- ela ed CVEs?
Fig. 1. Tempo al dis ibu ion o eBPF- ela ed CVEs, agg ega ed by ou -mon h in e -
als.
6 Rosa io Rizza, Ricca do Sis o, and Ful io Valenza
Me hodology To analyze he empo al e olu ion o eBPF- ela ed CVEs, we elied
on hei o icial publica ion da es as eco ded in public ulne abili y da abases.
Fo consis ency and o cap u e ends a a sui able g anula i y, we agg ega ed
CVEs in o ixed ou -mon h in e als. This g ouping ensu es egula spacing
ac oss he imeline and accommoda es he mos ecen disclosu es, including
hose om he i s hi d o 2025.
Analysis The esul ing dis ibu ion e eals a gene al upwa d end o e he
yea s, punc ua ed by a ew ea ly anomalies (Fig. 1). An ini ial bump appea s
a ound 2017, ollowed by ela i ely low bu pe sis en ac i i y. A mo e no iceable
inc ease occu s be ween 2021 and 2022, and om la e 2023 onwa d, he numbe
o CVEs mo e han doubles compa ed o p e ious in e als, culmina ing in a
peak in he i s hi d o 2024, wi h o e 60 new ulne abili ies epo ed.
To be e unde s and he long- e m end beyond sho - e m luc ua ions, we
applied a smoo hed in e pola ion echnique. The esul ing cu e shows a non-
linea , bu clea ly upwa d ajec o y, wi h mino local luc ua ions—including a
sligh ise a ound 2019—be o e accele a ing mo e s eeply in ecen in e als. This
end suppo s he in e p e a ion ha eBPF has become an inc easingly c i ical
and exposed componen in he Linux ke nel. The sha p inc ease in he numbe
o ulne abili ies epo ed in he pas yea may also be linked o he concu en
de elopmen and publica ion o new uzzing-based echniques o sys ema ic
ulne abili y disco e y, such as[3] [14], as well as o he g owing complexi y
o he e i ie [4].
6.2 RQ2: Wha is end o he numbe o eBPF- ela ed CVEs
a ec ing each Linux ke nel mino e sion?
Me hodology Fo each CVE we ex ac ed he lis o a ec ed ke nel e sions —
encoded in he CVE eco d h ough CPE s ings — and mapped hose CPE
uples o he co esponding mino - elease numbe s. A e his s ep, we ob ained,
o he i s elease (and o each pa ch) o e e y Linux ke nel mino e sion,
he o al numbe o CVEs a ec ing i . In Fig. 2, we plo he numbe o CVEs
a ec ing he i s elease o e e y Linux Ke nel mino e sion.
Analysis Beginning wi h e sion 4.14, he coun o eBPF- ela ed CVEs a ec ing
he i s elease o he e sion inc eases s eadily, peaking a jus o e 100 in
ke nel 5.10, which is an LTS. The inc easing end migh be a o ed by a g owing
in e es and a consequen as e de elopmen in he eBPF subsys em. The mos
ecen mino e sions exhibi lowe coun s, p obably jus because hey ha e
had less ime in he ield o ulne abili ies o be disco e ed and epo ed. LTS
e sions o en appea as local maxima, e lec ing mo e ac i e de elopmen and
backpo ing e o s compa ed o adjacen non-LTS eleases.
Analysis o he eBPF Vulne abili ies in he Linux Ke nel 7
Fig. 2. eBPF- ela ed CVEs a ec ing he i s elease o each ke nel mino e sion
6.3 RQ3: How long do eBPF- ela ed ulne abili ies emain la en
in he Linux ke nel be o e being pa ched?
Me hodology Fo each CVE in ou da ase we iden i ied he i s ke nel elease
epo ed as ulne able ( om CVE me ada a) and he commi ha in oduced
he co esponding pa ch ( om he mainline Gi his o y). We hen compu ed he
la ency, in days, be ween he elease da e o he a ec ed e sion and he da e
he ix was me ged. Desc ip i e s a is ics we e p oduced o 70% o CVEs, i.e.,
he ones o which his in o ma ion is a ailable.
Analysis Ac oss he comple e se , he mean ime- o- ix is 1037.6 days and he me-
dian is 737 days, wi h a maximum o 7744 days. Remo ing he wo longes delays
educes he mean sligh ly o 995 days while lea ing he median unchanged, sug-
ges ing ha mos ulne abili ies a e cha ac e ized by a b oadly simila exposu e
window and ha ex eme cases ha e limi ed in luence on he cen al endency.
No empo al pa e n is appa en : bo h olde and mo e ecen ke nel e sions
show a mix o ulne abili ies unco e ed wi hin weeks and o he s pe sis ing o
se e al yea s. The la ge s anda d de ia ion (abou 1060 days), almos equal o
he mean, con i ms his wide dispe sion— he e is no single “ ypical” disco e y
delay, bu a he a b oad spec um o la ency imes ac oss he en i e his o y
o eBPF de elopmen .Mo eo e , he e is no signi ican co ela ion be ween he
pa ch la ency and he CVE se e i y ( he compu ed co ela ion is 0.06), which is
conce ning gi en he po en ial impac o delayed emedia ion o se ious ulne -
abili ies. Among he 32 ulne abili ies wi h a se e i y sco e o a leas 7, only
10 we e ixed wi hin he i s yea , and 15 wi hin wo yea s—meaning ha mo e
han hal (17 ulne abili ies) emained unpa ched o o e wo yea s a e hei
ini ial elease. O e all, eBPF- ela ed ulne abili ies end o pe sis in he ke nel
8 Rosa io Rizza, Ricca do Sis o, and Ful io Valenza
o oughly wo o h ee yea s be o e a co ec i e pa ch is me ged. This long
pe sis ence, associa ed wi h he high occu ence a e and he absence o co e-
la ion wi h se e i y, aises a wa ning, showing ha he eBPF sys em could be a
signi ican ca chmen a ea o ze o-day ulne abili ies.
6.4 RQ4: Which eBPF modules a e mos a ec ed by eBPF- ela ed
CVEs?
Fig. 3. Top 10 eBPF subsys em modules a ec ed by CVEs
Me hodology To iden i y which componen s o he eBPF subsys em a e mos
equen ly a ec ed by secu i y ulne abili ies, we i s pe o med a manual clas-
si ica ion o all eBPF- ela ed CVEs. Each CVE was analyzed and assigned o
one o mo e unc ional modules, depending on he na u e o he ulne abili y.
The ca ego ies include: e i ie ( esponsible o alida ing eBPF p og ams be o e
execu ion), co e (handling he in e nal logic, sys em calls, and i ual machine
beha io ), maps (managing eBPF maps), helpe s (co e ing helpe unc ions),
ke nel unc ions (k uncs), JIT compile (jus -in- ime ansla ion o na i e in-
s uc ions), BTF (p o iding compa ibili y and in e nal s uc u e managemen ),
sel es s (in e nal es ing in as uc u e), and a ious subsys ems (e.g., ne wo k-
ing, acing, and pe o mance hooks).
Impo an ly, his ca ego iza ion is no mu ually exclusi e: a single CVE may
span mul iple modules. Fo ins ance, a e i ie law ha ails o co ec ly ali-
Analysis o he eBPF Vulne abili ies in he Linux Ke nel 9
Fig. 4. Top 10 iles mos equen ly modi ied in commi s add essing eBPF- ela ed
CVEs.
da e access o a helpe unc ion is associa ed wi h bo h he e i ie and helpe s
ca ego ies.
To complemen his logical classi ica ion wi h a sou ce-le el pe spec i e, we
u he analyzed he code changes applied o ix each ulne abili y. Fo e e y
CVE wi h an associa ed public ix, we ex ac ed he commi (s) om he main-
line Linux ke nel eposi o y and eco ded he modi ied sou ce iles. E en i he
pa ched iles may no always indica e he o igin o he ulne abili y, he wo
analyses yielded simila esul s.
Analysis The manual classi ica ion, shown in Fig. 3, e eals ha he e i ie is
he mos impac ed module by a signi ican ma gin, ollowed by he ne wo king
subsys em, he co e, and he helpe s and maps modules. This dis ibu ion con-
i ms he eBPF e i ie ’s cen al ole and i s his o ical agili y in handling com-
plex o edge-case p og am logic [10]. The ile-le el analysis shown in Fig. 4 u -
he ein o ces hese indings . The mos equen ly modi ied ile in CVE- ela ed
commi s is e i ie .c, which alone appea s in nea ly 70 commi s — o e h ee
imes mo e han he nex ile, syscall.c. Addi ional e i ie - ela ed iles, such as
bp _ e i ie .h, also ank in he op 10. The op modi ied iles a e o e whelm-
ingly loca ed wi hin ke nel/bp /, wi h a ew excep ions in include/linux/
and ne /co e/, he la e e lec ing ulne abili ies in ne wo king in eg a ion.
O e all, bo h he logical module-based classi ica ion and he physical sou ce-
le el analysis con e ge on he same conclusion: he eBPF e i ie ep esen s
he mos ulne able and main enance-in ensi e pa o he eBPF subsys em.
I s complexi y, cen al ole in en o cing sa e y, and ongoing e olu ion make i a
pe sis en sou ce o secu i y challenges.
