CVE-2025-38572 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: reject malicious packets in ipv6_gso_segment()

syzbot was able to craft a packet with very long IPv6 extension headers
leading to an overflow of skb->transport_header.

This 16bit field has a limited range.

Add skb_reset_transport_header_careful() helper and use it
from ipv6_gso_segment()

WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Modules linked in:
CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Call Trace:
<TASK>
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
__skb_gso_segment+0x342/0x510 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950
validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000
sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329
__dev_xmit_skb net/core/dev.c:4102 [inline]
__dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

Source	ID	Title
Debian DLA	DLA-4327-1	linux security update
Debian DLA	DLA-4328-1	linux-6.1 security update
EUVD	EUVD-2025-26102	In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679
Ubuntu USN	USN-7879-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7879-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7880-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-7879-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7909-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7879-4	Linux kernel vulnerabilities
Ubuntu USN	USN-7909-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7909-3	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7910-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7909-4	Linux kernel vulnerabilities
Ubuntu USN	USN-7910-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7909-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7933-1	Linux kernel (KVM) vulnerabilities
Ubuntu USN	USN-7934-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7938-1	Linux kernel (Azure) vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b
https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1
https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67
https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e
https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703
https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe
https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e
https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789
https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
https://lore.kernel.org/linux-cve-announce/2025081910-CVE-2025-38572-200b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-38572
https://www.cve.org/CVERecord?id=CVE-2025-38572

History

Mon, 03 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Thu, 28 Aug 2025 14:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1 https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703

Thu, 21 Aug 2025 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Vendors & Products		Linux Linux linux Kernel

Wed, 20 Aug 2025 00:30:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025081910-CVE-2025-38572-200b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-38572 https://www.cve.org/CVERecord?id=CVE-2025-38572
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Tue, 19 Aug 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679
Title		ipv6: reject malicious packets in ipv6_gso_segment()
References		https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67 https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789 https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-08-19T17:02:52.340Z

Updated: 2025-11-03T17:39:59.107Z

Reserved: 2025-04-16T04:51:24.025Z

Link: CVE-2025-38572

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-08-19T17:15:34.117

Modified: 2025-11-03T18:16:29.823

Link: CVE-2025-38572

Redhat

Severity : Moderate

Publid Date: 2025-08-19T00:00:00Z

Links: CVE-2025-38572 - Bugzilla

OpenCVE Enrichment

Updated: 2025-08-21T12:31:54Z

Weaknesses

No weakness.

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object