Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71085

CVE-2025-71085: Linux Kernel IPv6 CALIPSO DoS Vulnerability

CVE-2025-71085 is a denial of service flaw in the Linux kernel's IPv6 CALIPSO implementation that triggers a kernel oops through integer overflow in pskb_expand_head(). This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-71085 Overview

A kernel vulnerability exists in the Linux kernel's IPv6 CALIPSO (Common Architecture Label IPv6 Security Option) implementation that can trigger a kernel panic via a BUG_ON() condition in pskb_expand_head(). The vulnerability is caused by an implicit integer cast issue in __skb_cow() when processing specially crafted IPv6 hop-by-hop options, allowing an attacker to pass a negative value for the nhead parameter.

Critical Impact

This vulnerability can cause a kernel oops (panic), resulting in denial of service through system crash. An attacker with local access can trigger the bug by sending specially crafted UDP packets with malicious IPv6 hop-by-hop extension headers when CALIPSO is configured.

Affected Products

  • Linux kernel with IPv6 and CALIPSO support enabled
  • Systems using netlabel with CALIPSO protocol configurations
  • IPv6-enabled network stacks with hop-by-hop options processing

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-71085 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-71085

Vulnerability Analysis

The vulnerability resides in the CALIPSO socket buffer attribute handling within the Linux kernel's networking subsystem. When calipso_skbuff_setattr() invokes skb_cow() to ensure there is sufficient headroom in the socket buffer, a calculation error can occur due to implicit integer casting in __skb_cow().

The problematic code path performs a boundary check (headroom > skb_headroom(skb)) intended to ensure that delta = headroom - skb_headroom(skb) never becomes negative. However, when headroom exceeds INT_MAX and delta evaluates to a value less than or equal to -NET_SKB_PAD, the check incorrectly passes. This results in pskb_expand_head() receiving a negative value for the nhead parameter, triggering the BUG_ON(nhead < 0) assertion at net/core/skbuff.c:2232.

The vulnerability can be triggered locally by an attacker who can:

  1. Configure netlabel to use CALIPSO protocol (requires privileges)
  2. Send UDP datagrams over IPv6 with crafted hop-by-hop extension headers

Root Cause

The root cause is an implicit integer overflow/underflow vulnerability in the __skb_cow() function. The boundary validation logic fails to account for cases where the headroom value exceeds INT_MAX, causing the subsequent subtraction operation to produce a negative delta value that bypasses the safety check. This is fundamentally an Integer Overflow vulnerability combined with insufficient bounds checking on the headroom calculation in calipso_skbuff_setattr().

Attack Vector

The attack requires local access and the ability to send IPv6 UDP packets with specially crafted control messages. The attacker uses the sendmsg() system call with an msghdr structure containing malicious IPv6 hop-by-hop options (IPV6_HOPOPTS). By setting specific values in the hop header that result in headroom calculations exceeding INT_MAX, the attacker can trigger the kernel BUG_ON condition, causing an immediate system crash.

The vulnerability is exploitable when CALIPSO is configured on the target system using netlabel, mapping the default address space to the CALIPSO protocol. The proof-of-concept demonstrates that setting hop_hdr[1] = 0x9 creates a hop size of 80 bytes ((0x9 + 1) * 8) which, combined with the message control length of 0x60, triggers the integer overflow condition.

Detection Methods for CVE-2025-71085

Indicators of Compromise

  • Unexpected kernel panics or system crashes with stack traces referencing pskb_expand_head() or calipso_skbuff_setattr()
  • System logs showing BUG_ON assertions in net/core/skbuff.c
  • Audit logs indicating netlabel configuration changes adding CALIPSO mappings
  • Unusual IPv6 UDP traffic patterns with oversized hop-by-hop extension headers

Detection Strategies

  • Monitor for kernel oops messages containing references to pskb_expand_head, __skb_cow, or calipso_skbuff_setattr functions
  • Implement system auditing on netlabel configuration commands (netlabelctl)
  • Use kernel tracing tools (ftrace, eBPF) to monitor socket buffer operations for anomalous headroom values
  • Deploy crash dump analysis to identify the specific trigger pattern in system failures

Monitoring Recommendations

  • Enable kernel crash dump collection (kdump) to capture diagnostic information when the BUG_ON triggers
  • Configure auditd rules to track execution of netlabel management commands
  • Monitor for systems with CALIPSO protocol enabled via netlabel configuration review
  • Implement network monitoring for IPv6 packets with unusually large hop-by-hop extension headers

How to Mitigate CVE-2025-71085

Immediate Actions Required

  • Apply the kernel patches from the official Linux kernel git repository immediately
  • Review and restrict netlabel configurations to remove unnecessary CALIPSO mappings
  • Limit local user access on systems where CALIPSO is required
  • Consider disabling CALIPSO support if not operationally required

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix modifies calipso_skbuff_setattr() to properly validate headroom values before passing them to skb_cow(), ensuring that only positive (growth) values are used. The following kernel commits contain the fix:

Update to a kernel version containing one of these commits to resolve the vulnerability.

Workarounds

  • Remove CALIPSO mappings from netlabel if not required: netlabelctl map del default followed by configuration without CALIPSO protocol
  • Disable IPv6 on systems where it is not operationally necessary
  • Restrict access to the netlabelctl utility to prevent unauthorized CALIPSO configuration
  • Use network namespace isolation to limit exposure of vulnerable kernel code paths
bash
# Remove CALIPSO configuration as a workaround
netlabelctl map del default
netlabelctl calipso del doi:7
# Verify CALIPSO is not configured
netlabelctl calipso list

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.