CVE-2025-71128 Overview
A buffer overflow vulnerability exists in the Linux kernel's ERSPAN (Encapsulated Remote Switch Port Analyzer) implementation within the GRE tunnel handling code. The vulnerability occurs because the options_len field in the struct ip_tunnel_info structure is not properly initialized before referencing the flexible array member options. This leads to a kernel panic when FORTIFY_SOURCE runtime bounds checking is enabled, particularly when the kernel is compiled with GCC 15 or later.
Critical Impact
This vulnerability causes a kernel panic and system crash when processing ERSPAN traffic in GRE tunnels, resulting in complete denial of service for affected systems.
Affected Products
- Linux kernel versions with GRE ERSPAN support
- Systems compiled with GCC 15+ and FORTIFY_SOURCE enabled
- Linux kernel configurations with CONFIG_NET_IPGRE enabled
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71128 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-71128
Vulnerability Analysis
The vulnerability stems from improper initialization order in the Linux kernel's ERSPAN packet handling code. The struct ip_tunnel_info structure contains a flexible array member called options that is protected by the counted_by(options_len) attribute, a security feature that enables compile-time and runtime bounds checking.
When GCC 15+ compiles this code with FORTIFY_SOURCE enabled, the compiler enforces strict runtime bounds checking on the memcpy operations that write to the options array. According to GCC documentation, the counter variable (options_len) must be initialized before any reference to the flexible array member.
In the GRE ERSPAN code path, a partial update is performed that bypasses the standard ip_tunnel_info_opts_set() helper function—which correctly initializes options_len before copying data. This results in a detected buffer overflow during ERSPAN packet reception, as the runtime check sees an attempt to write 4 bytes to a buffer with a reported size of 0.
Root Cause
The root cause is the failure to initialize options_len before performing write operations on the options flexible array member. The GRE ERSPAN receive path (erspan_rcv) performs partial updates to the tunnel info structure without using the ip_tunnel_info_opts_set() helper, which would properly set options_len prior to the memcpy operation. This violates the contract established by the counted_by attribute and triggers FORTIFY_SOURCE protection mechanisms.
Attack Vector
The vulnerability is triggered when the kernel receives ERSPAN traffic through a GRE tunnel. When such packets are processed by the erspan_rcv function, the uninitialized options_len field causes the FORTIFY_SOURCE bounds checking to detect a buffer overflow and invoke __fortify_panic, resulting in a kernel crash.
The call trace from the vulnerability report demonstrates the execution path:
The panic occurs in the interrupt context (<IRQ>) when processing incoming packets through the GRE receive path (gre_rcv), which calls erspan_rcv to handle ERSPAN-encapsulated traffic. The memcpy operation fails the bounds check, detecting a "4 byte write of buffer size 0" condition.
Detection Methods for CVE-2025-71128
Indicators of Compromise
- Kernel panic messages containing memcpy: detected buffer overflow: 4 byte write of buffer size 0
- System crashes during GRE tunnel ERSPAN traffic processing
- Call traces showing erspan_rcv.cold and __fortify_panic in the kernel log
- Unexpected reboots on systems processing ERSPAN-encapsulated traffic
Detection Strategies
- Monitor kernel logs for FORTIFY_SOURCE panic messages related to erspan_rcv
- Implement network monitoring to detect anomalous ERSPAN traffic patterns
- Use kernel tracing tools to monitor calls to erspan_rcv and gre_rcv functions
- Deploy SentinelOne Singularity Platform for real-time kernel-level threat detection
Monitoring Recommendations
- Enable kernel crash dump collection to capture detailed diagnostic information on panic events
- Configure syslog monitoring for FORTIFY_SOURCE-related warning and error messages
- Monitor system uptime metrics to detect unexpected reboots that may indicate exploitation attempts
- Review network traffic logs for unusual GRE/ERSPAN traffic patterns from untrusted sources
How to Mitigate CVE-2025-71128
Immediate Actions Required
- Apply the latest kernel patches from the stable kernel repository
- Consider temporarily disabling GRE tunnel ERSPAN functionality if not required
- Implement network-level filtering to restrict ERSPAN traffic to trusted sources only
- Monitor systems for kernel panic events and enable crash dump collection for analysis
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures proper initialization of options_len before any reference to the options flexible array member.
Patches are available in the following kernel commits:
Workarounds
- Disable GRE ERSPAN tunnel functionality by unloading or blacklisting the ip_gre module if not required
- Implement firewall rules to block untrusted ERSPAN traffic at the network perimeter
- Compile the kernel without FORTIFY_SOURCE as a temporary workaround (not recommended for production)
- Restrict GRE tunnel configurations to trusted network segments only
# Temporarily disable ip_gre module (if not in use)
modprobe -r ip_gre
echo "blacklist ip_gre" >> /etc/modprobe.d/blacklist-erspan.conf
# Block external GRE traffic at firewall level
iptables -A INPUT -p gre -s ! 10.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
