| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011344-CVE-2025-71098-ef6d@gregkh> Date: Tue, 13 Jan 2026 16:35:57 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71098: ip6_gre: make ip6gre_header() robust From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 The Linux kernel CVE team has assigned CVE-2025-71098 to this issue. Affected and fixed versions =========================== Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 6.1.160 with commit adee129db814474f2f81207bd182bf343832a52e Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 6.6.120 with commit 1717357007db150c2d703f13f5695460e960f26c Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 6.12.64 with commit 5fe210533e3459197eabfdbf97327dacbdc04d60 Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 6.18.4 with commit 91a2b25be07ce1a7549ceebbe82017551d2eec92 Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 6.19-rc4 with commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71098 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv6/ip6_gre.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60 https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92 https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476
Powered by blists - more mailing lists