Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71098

CVE-2025-71098: Linux Kernel ip6_gre DOS Vulnerability

CVE-2025-71098 is a denial of service vulnerability in the Linux kernel's ip6_gre module that causes kernel crashes through skb_under_panic. This post covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-71098 Overview

A buffer underflow vulnerability has been identified in the Linux kernel's IPv6 GRE tunneling implementation, specifically within the ip6gre_header() function. This vulnerability was discovered through syzbot fuzzing and can cause a kernel panic when processing malformed network packets under specific conditions involving team or bonding drivers.

The vulnerability occurs when mld_newpack() allocates a socket buffer (skb) with insufficient headroom, and an ip6gre device is subsequently attached before mld_sendpack() is invoked. This race condition can trigger a skb_under_panic, resulting in a kernel crash.

Critical Impact

Exploitation can cause kernel panic and system crash, leading to denial of service on affected Linux systems using IPv6 GRE tunneling with team or bonding network drivers.

Affected Products

  • Linux Kernel (ip6_gre module)
  • Systems using IPv6 GRE tunneling
  • Configurations utilizing team or bonding network drivers

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-71098 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-71098

Vulnerability Analysis

The vulnerability resides in the ip6gre_header() function located in net/ipv6/ip6_gre.c. The root cause is a failure to properly validate buffer headroom when team or bonding drivers dynamically modify dev->needed_headroom and/or dev->hard_header_len values at runtime.

When mld_newpack() creates a socket buffer for multicast listener discovery operations, it calculates the required headroom based on the current device configuration. However, if an ip6gre tunnel device is attached to a team or bonding interface between buffer allocation and packet transmission, the headroom requirements may change. The ip6gre_header() function then attempts to push data beyond the allocated buffer space, triggering a buffer underflow condition.

The crash manifests as an skb_under_panic at net/core/skbuff.c:213, occurring when skb_push() attempts to add 40 bytes of header data to a buffer that lacks sufficient space, resulting in the data pointer moving before the buffer head.

Root Cause

The vulnerability stems from improper synchronization between socket buffer allocation and network device configuration changes. Team and bonding drivers can dynamically adjust headroom requirements, but the MLD (Multicast Listener Discovery) code path does not account for these runtime changes. This creates a time-of-check to time-of-use (TOCTOU) race condition where the headroom calculated during allocation becomes invalid by the time the packet header is constructed.

Attack Vector

The attack vector involves manipulation of network device configurations during active IPv6 multicast operations:

  1. A system must be running IPv6 with MLD enabled
  2. Team or bonding interfaces must be configured
  3. An attacker or system process triggers device attachment/modification during MLD packet processing
  4. The timing window between mld_newpack() and mld_sendpack() is exploited
  5. The kernel attempts to push header data into insufficient buffer space, causing a panic

The crash trace shows the following execution path: mld_ifc_work()mld_sendpack()ip6_output()ip6_finish_output2()neigh_connected_output()dev_hard_header()ip6gre_header()skb_push()skb_under_panic.

Detection Methods for CVE-2025-71098

Indicators of Compromise

  • Kernel panic messages containing skb_under_panic with reference to ip6gre_header
  • System crashes during IPv6 multicast operations on team or bonding interfaces
  • Kernel log entries showing buffer underflow at net/core/skbuff.c with ip6gre in the call stack

Detection Strategies

  • Monitor kernel logs for skb_under_panic events with call traces involving ip6gre_header
  • Implement kernel crash dump analysis to identify patterns matching this vulnerability signature
  • Deploy network monitoring to detect unusual GRE tunnel attachment patterns on bonding interfaces

Monitoring Recommendations

  • Enable kernel crash reporting and analysis for early detection of exploitation attempts
  • Monitor system stability metrics on hosts utilizing IPv6 GRE tunneling with team or bonding drivers
  • Configure alerting for unexpected kernel panics in network subsystem code paths

How to Mitigate CVE-2025-71098

Immediate Actions Required

  • Apply the kernel patches referenced in the security commits to affected systems
  • Consider temporarily disabling IPv6 GRE tunneling on team or bonding interfaces if patching is not immediately possible
  • Prioritize patching systems that heavily utilize team or bonding network configurations with IPv6

Patch Information

The Linux kernel development team has released fixes across multiple stable kernel branches. The patches make ip6gre_header() more robust by properly validating buffer headroom before attempting to push header data.

Patches are available through the following commits:

Workarounds

  • Avoid using IPv6 GRE tunnels on team or bonding interfaces until patched
  • Implement network segmentation to limit exposure of vulnerable configurations
  • Consider using alternative tunneling protocols that are not affected by this vulnerability
bash
# Check if ip6_gre module is loaded
lsmod | grep ip6_gre

# Temporarily unload the module if not required (requires no active tunnels)
sudo modprobe -r ip6_gre

# Prevent module auto-loading by blacklisting
echo "blacklist ip6_gre" | sudo tee /etc/modprobe.d/blacklist-ip6gre.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.