Impact
In the Linux kernel, the sit (IPv6 over IPv4 tunnel) implementation caches a pointer to the inner IPv6 header at the entry of ipip6_tunnel_xmit() and later relies on that same pointer after Generic Segmentation Offload (GSO) processing. During GSO, iptunnel_handle_offloads() may clone or reallocate the socket buffer header, causing the skb head to move and leaving the cached pointer stale. Subsequent code reads the hop limit and DS field from this stale pointer, potentially accessing freed memory. This misuse of a cached pointer is a classic buffer misuse flaw (CWE‑825) that can lead to an out‑of‑bounds read or kernel memory corruption, jeopardizing system integrity and possibly leaking sensitive packet data.
Affected Systems
All Linux kernel releases that still contain the unpatched sit tunnel code are affected. The flaw exists in the kernel code that has not yet incorporated the upstream patch for the commit referenced in the provided kernel patches. Distribution kernels that ship the affected code before the fix are therefore at risk. The vulnerability applies to any Linux system running a kernel version older than the patched commit.
Risk and Exploitability
The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a very low probability of exploitation under current conditions. The CVSS score of 9.8 reflects a severe potential impact, including kernel memory corruption and possible data leakage. Based on the description, it is inferred that an attacker could exploit this flaw by sending specially crafted SIP tunnel traffic that triggers GSO offloading, thereby causing the stale header pointer to be used. Such an attack would likely require local or privileged access to construct the packet, and no public exploits are known at present.
OpenCVE Enrichment
Debian DLA