CVE-2025-71128 Overview
CVE-2025-71128 is a Linux kernel vulnerability in the Generic Routing Encapsulation (GRE) Encapsulated Remote Switched Port Analyzer (ERSPAN) receive path. The flaw stems from struct ip_tunnel_info containing a flexible array member options protected by a counted_by(options_len) attribute. The ERSPAN code path performs a partial update without initializing options_len before referencing the options array. When the kernel is compiled with GCC 15+ and FORTIFY_SOURCE enabled, this triggers a detected buffer overflow and kernel panic during erspan_rcv() processing of incoming GRE traffic.
Critical Impact
A local attacker or remote traffic source able to deliver crafted ERSPAN-encapsulated GRE packets to a vulnerable host can induce a kernel panic, resulting in denial of service on systems compiled with FORTIFY_SOURCE.
Affected Products
- Linux Kernel 6.15
- Linux Kernel 6.19-rc1 through 6.19-rc8
- Linux distributions shipping affected kernels with FORTIFY_SOURCE enabled
Discovery Timeline
- 2026-01-14 - CVE-2025-71128 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2025-71128
Vulnerability Analysis
The vulnerability resides in the ERSPAN receive handler erspan_rcv() within the Linux kernel's GRE tunnel subsystem. The struct ip_tunnel_info data structure contains a flexible array member named options, which is annotated with the counted_by(options_len) compiler attribute. This attribute lets the compiler enforce runtime bounds checking through FORTIFY_SOURCE string helpers.
GCC documentation requires the counter field to be initialized before the first reference to the flexible array member. Most kernel code uses the ip_tunnel_info_opts_set() helper, which correctly initializes options_len before copying data into options. The ERSPAN handler instead performs a partial update that bypasses the helper, leaving options_len at zero when options is first written.
The resulting kernel panic reports: memcpy: detected buffer overflow: 4 byte write of buffer size 0. The call trace shows the panic originating in erspan_rcv.cold+0x68/0x83, reached through gre_rcv() and ip_protocol_deliver_rcu().
Root Cause
The root cause is uninitialized memory use of the options_len counter field before referencing the options flexible array member. The partial-update pattern in the ERSPAN path violates the contract required by the counted_by attribute, causing __fortify_panic() to fire when memcpy() is invoked with a target buffer size of zero.
Attack Vector
The vulnerability is triggered in the GRE receive path when ERSPAN traffic arrives at the host. The NVD CVSS vector indicates a local attack vector with low privileges and high availability impact. Any process or network source able to deliver ERSPAN-encapsulated GRE frames to an interface processed by the affected kernel can trigger the panic. No authentication is required at the protocol level. Exploitation results in denial of service through kernel panic rather than memory corruption, because FORTIFY_SOURCE intentionally aborts on detection.
The vulnerability manifests when the kernel is built with GCC 15+ and FORTIFY_SOURCE enabled. See the Kernel.org Commit 35ddf66 and Kernel.org Commit b282b2a for the upstream fixes.
Detection Methods for CVE-2025-71128
Indicators of Compromise
- Kernel panic messages containing memcpy: detected buffer overflow: 4 byte write of buffer size 0
- Call traces referencing __fortify_panic, erspan_rcv.cold, and gre_rcv in dmesg or /var/log/kern.log
- Unexpected host reboots correlated with inbound GRE protocol 47 traffic
- Crash dumps showing fault origin in net/ipv4/ip_gre.c ERSPAN code paths
Detection Strategies
- Monitor kernel logs for __fortify_panic strings and ERSPAN-related stack frames
- Audit network telemetry for unsolicited GRE packets carrying ERSPAN headers reaching production hosts
- Inventory hosts running Linux kernel 6.15 and 6.19-rc builds compiled with CONFIG_FORTIFY_SOURCE=y
- Correlate sudden node unavailability events with GRE traffic spikes against the affected interfaces
Monitoring Recommendations
- Forward kern.log and dmesg output to a central log platform and alert on fortify_panic patterns
- Track GRE protocol 47 ingress counters using nftables, iptables, or NetFlow records
- Baseline host uptime and trigger alerts on kernel panic restart loops involving the GRE module
How to Mitigate CVE-2025-71128
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in commits 35ddf66c65ef and b282b2a9eed8
- Block unsolicited GRE protocol 47 traffic at the network edge for hosts that do not require ERSPAN ingest
- Unload the ip_gre and erspan kernel modules on systems that do not use GRE or ERSPAN tunneling
- Inventory and patch all systems running the affected 6.15 and 6.19-rc kernels
Patch Information
The fix initializes options_len before the first reference to the options flexible array member in the ERSPAN receive code path. Upstream commits 35ddf66c65eff93fff91406756ba273600bf61a3 and b282b2a9eed848587c1348abdd5d83fa346a2743 resolve the issue. Administrators should pull the latest stable kernel from their distribution vendor that incorporates these commits. The original bug is tracked at Launchpad bug 2129580.
Workarounds
- Filter inbound GRE packets at perimeter firewalls or host-based packet filters where ERSPAN is not in use
- Disable the ip_gre module via modprobe.d blacklist on hosts that do not require GRE tunneling
- Rebuild the kernel with CONFIG_FORTIFY_SOURCE disabled as a temporary measure where patching is not yet possible, accepting the loss of runtime bounds checking
# Block GRE protocol 47 ingress on hosts that do not require ERSPAN
sudo iptables -A INPUT -p gre -j DROP
# Prevent the vulnerable module from loading
echo "blacklist ip_gre" | sudo tee /etc/modprobe.d/blacklist-gre.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

