CVE-2025-54351 Overview
A critical buffer overflow vulnerability has been identified in iperf3, the widely-used network bandwidth measurement and testing tool. The vulnerability exists in net.c when the --skip-rx-copy option is used in conjunction with MSG_TRUNC in the recv function. This flaw allows attackers to potentially execute arbitrary code or cause denial of service conditions through specially crafted network packets targeting vulnerable iperf3 installations.
Critical Impact
This buffer overflow vulnerability in iperf3's network receive path can be exploited remotely without authentication, potentially allowing complete system compromise on any host running a vulnerable iperf3 server or client with the --skip-rx-copy flag enabled.
Affected Products
- Es iperf3 version 3.19 and earlier
- iperf3 installations using the --skip-rx-copy UDP zerocopy feature
- Network testing environments with exposed iperf3 services
Discovery Timeline
- 2025-08-03 - CVE-2025-54351 published to NVD
- 2025-10-17 - Last updated in NVD database
Technical Details for CVE-2025-54351
Vulnerability Analysis
The vulnerability stems from improper handling of the nleft variable in the Nrecv() function within net.c. When the --skip-rx-copy flag is used for UDP operations, the code utilizes MSG_TRUNC in the socket options which can cause the receive operation to return a value larger than the buffer size. The original implementation declared nleft as a signed ssize_t type with a comment acknowledging it "may get negative value for SKIP-RX-COPY UDP." However, this signed arithmetic led to incorrect boundary calculations, allowing buffer overflow conditions when processing truncated UDP datagrams.
Root Cause
The root cause lies in the type mismatch and improper boundary checking in the receive buffer handling code. The nleft variable was declared as a signed ssize_t to accommodate potential negative values during zerocopy UDP operations with MSG_TRUNC. However, this design decision created a situation where arithmetic operations on the remaining buffer space could underflow, bypassing buffer boundary checks and allowing writes beyond the allocated buffer region. The fix corrects this by changing nleft to an unsigned size_t type, eliminating the possibility of negative value exploitation.
Attack Vector
This vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can target any iperf3 server or client configured with the --skip-rx-copy option by sending specially crafted UDP packets designed to trigger the buffer overflow condition. The attack exploits the MSG_TRUNC socket option behavior where the return value indicates the total message size rather than the bytes copied, causing the signed integer to wrap negative and bypass size validation.
Nrecv(int fd, char *buf, size_t count, int prot, int sock_opt)
{
register ssize_t r;
- // `nleft` must be signed as it may get negative value for SKIP-RX-COPY UDP (MSG_TRUNC in sock_opt).
- register ssize_t nleft = count;
- register size_t total = 0;
+ register size_t nleft = count;
struct iperf_time ftimeout = { 0, 0 };
fd_set rfdset;
Source: GitHub Commit 969b7f70c447513e92c9798f22e82b40ebc53bf0
Detection Methods for CVE-2025-54351
Indicators of Compromise
- Unexpected crashes or segmentation faults in iperf3 processes during UDP testing
- Abnormal memory consumption patterns in iperf3 service processes
- Core dumps from iperf3 processes with stack traces involving Nrecv() or net.c functions
- Unusual network traffic patterns targeting iperf3 default ports (5201/TCP, 5201/UDP)
Detection Strategies
- Monitor for iperf3 processes running with the --skip-rx-copy flag using process monitoring tools
- Implement network intrusion detection rules for malformed UDP traffic targeting iperf3 services
- Review system logs for repeated iperf3 process crashes or restarts
- Deploy file integrity monitoring on iperf3 binaries to detect unauthorized modifications
Monitoring Recommendations
- Audit all systems for iperf3 installations and verify version numbers against vulnerable versions
- Implement centralized logging for iperf3 service activity and error conditions
- Monitor network perimeter for unexpected inbound connections to iperf3 service ports
- Enable process crash reporting to capture and analyze potential exploitation attempts
How to Mitigate CVE-2025-54351
Immediate Actions Required
- Upgrade iperf3 to version 3.19.1 or later immediately
- Discontinue use of the --skip-rx-copy flag until systems are patched
- Restrict network access to iperf3 services using firewall rules
- Review deployment scripts and configurations to remove vulnerable options
Patch Information
The vulnerability has been addressed in iperf3 version 3.19.1. The fix modifies the variable type declaration in the Nrecv() function from signed ssize_t to unsigned size_t, eliminating the integer underflow condition that enabled the buffer overflow. Organizations should apply this update through their package management systems or compile from the official source. The security patch is available in commit 969b7f70c447513e92c9798f22e82b40ebc53bf0. For detailed release information, refer to the iperf3 3.19.1 Release Notes.
Workarounds
- Remove or disable the --skip-rx-copy option from all iperf3 invocations until patched
- Implement network segmentation to isolate iperf3 testing infrastructure from production networks
- Use firewall rules to restrict iperf3 access to trusted IP addresses only
- Consider using alternative network performance testing tools until the patch can be applied
# Configuration example
# Verify current iperf3 version
iperf3 --version
# Update iperf3 on Debian/Ubuntu systems
sudo apt update && sudo apt install --only-upgrade iperf3
# Update iperf3 on RHEL/CentOS systems
sudo yum update iperf3
# Firewall rule to restrict iperf3 access (iptables example)
sudo iptables -A INPUT -p tcp --dport 5201 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 5201 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5201 -j DROP
sudo iptables -A INPUT -p udp --dport 5201 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
