Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71128

CVE-2025-71128: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71128 is a buffer overflow flaw in the Linux Kernel's ERSPAN handling that causes kernel panics when compiled with GCC 15+ and FORTIFY_SOURCE. This article covers the technical details, affected systems, and mitigation.

Updated:

CVE-2025-71128 Overview

CVE-2025-71128 is a Linux kernel vulnerability in the Generic Routing Encapsulation (GRE) Encapsulated Remote Switched Port Analyzer (ERSPAN) receive path. The flaw stems from struct ip_tunnel_info containing a flexible array member options protected by a counted_by(options_len) attribute. The ERSPAN code path performs a partial update without initializing options_len before referencing the options array. When the kernel is compiled with GCC 15+ and FORTIFY_SOURCE enabled, this triggers a detected buffer overflow and kernel panic during erspan_rcv() processing of incoming GRE traffic.

Critical Impact

A local attacker or remote traffic source able to deliver crafted ERSPAN-encapsulated GRE packets to a vulnerable host can induce a kernel panic, resulting in denial of service on systems compiled with FORTIFY_SOURCE.

Affected Products

  • Linux Kernel 6.15
  • Linux Kernel 6.19-rc1 through 6.19-rc8
  • Linux distributions shipping affected kernels with FORTIFY_SOURCE enabled

Discovery Timeline

  • 2026-01-14 - CVE-2025-71128 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71128

Vulnerability Analysis

The vulnerability resides in the ERSPAN receive handler erspan_rcv() within the Linux kernel's GRE tunnel subsystem. The struct ip_tunnel_info data structure contains a flexible array member named options, which is annotated with the counted_by(options_len) compiler attribute. This attribute lets the compiler enforce runtime bounds checking through FORTIFY_SOURCE string helpers.

GCC documentation requires the counter field to be initialized before the first reference to the flexible array member. Most kernel code uses the ip_tunnel_info_opts_set() helper, which correctly initializes options_len before copying data into options. The ERSPAN handler instead performs a partial update that bypasses the helper, leaving options_len at zero when options is first written.

The resulting kernel panic reports: memcpy: detected buffer overflow: 4 byte write of buffer size 0. The call trace shows the panic originating in erspan_rcv.cold+0x68/0x83, reached through gre_rcv() and ip_protocol_deliver_rcu().

Root Cause

The root cause is uninitialized memory use of the options_len counter field before referencing the options flexible array member. The partial-update pattern in the ERSPAN path violates the contract required by the counted_by attribute, causing __fortify_panic() to fire when memcpy() is invoked with a target buffer size of zero.

Attack Vector

The vulnerability is triggered in the GRE receive path when ERSPAN traffic arrives at the host. The NVD CVSS vector indicates a local attack vector with low privileges and high availability impact. Any process or network source able to deliver ERSPAN-encapsulated GRE frames to an interface processed by the affected kernel can trigger the panic. No authentication is required at the protocol level. Exploitation results in denial of service through kernel panic rather than memory corruption, because FORTIFY_SOURCE intentionally aborts on detection.

The vulnerability manifests when the kernel is built with GCC 15+ and FORTIFY_SOURCE enabled. See the Kernel.org Commit 35ddf66 and Kernel.org Commit b282b2a for the upstream fixes.

Detection Methods for CVE-2025-71128

Indicators of Compromise

  • Kernel panic messages containing memcpy: detected buffer overflow: 4 byte write of buffer size 0
  • Call traces referencing __fortify_panic, erspan_rcv.cold, and gre_rcv in dmesg or /var/log/kern.log
  • Unexpected host reboots correlated with inbound GRE protocol 47 traffic
  • Crash dumps showing fault origin in net/ipv4/ip_gre.c ERSPAN code paths

Detection Strategies

  • Monitor kernel logs for __fortify_panic strings and ERSPAN-related stack frames
  • Audit network telemetry for unsolicited GRE packets carrying ERSPAN headers reaching production hosts
  • Inventory hosts running Linux kernel 6.15 and 6.19-rc builds compiled with CONFIG_FORTIFY_SOURCE=y
  • Correlate sudden node unavailability events with GRE traffic spikes against the affected interfaces

Monitoring Recommendations

  • Forward kern.log and dmesg output to a central log platform and alert on fortify_panic patterns
  • Track GRE protocol 47 ingress counters using nftables, iptables, or NetFlow records
  • Baseline host uptime and trigger alerts on kernel panic restart loops involving the GRE module

How to Mitigate CVE-2025-71128

Immediate Actions Required

  • Apply the upstream Linux kernel patches referenced in commits 35ddf66c65ef and b282b2a9eed8
  • Block unsolicited GRE protocol 47 traffic at the network edge for hosts that do not require ERSPAN ingest
  • Unload the ip_gre and erspan kernel modules on systems that do not use GRE or ERSPAN tunneling
  • Inventory and patch all systems running the affected 6.15 and 6.19-rc kernels

Patch Information

The fix initializes options_len before the first reference to the options flexible array member in the ERSPAN receive code path. Upstream commits 35ddf66c65eff93fff91406756ba273600bf61a3 and b282b2a9eed848587c1348abdd5d83fa346a2743 resolve the issue. Administrators should pull the latest stable kernel from their distribution vendor that incorporates these commits. The original bug is tracked at Launchpad bug 2129580.

Workarounds

  • Filter inbound GRE packets at perimeter firewalls or host-based packet filters where ERSPAN is not in use
  • Disable the ip_gre module via modprobe.d blacklist on hosts that do not require GRE tunneling
  • Rebuild the kernel with CONFIG_FORTIFY_SOURCE disabled as a temporary measure where patching is not yet possible, accepting the loss of runtime bounds checking
bash
# Block GRE protocol 47 ingress on hosts that do not require ERSPAN
sudo iptables -A INPUT -p gre -j DROP

# Prevent the vulnerable module from loading
echo "blacklist ip_gre" | sudo tee /etc/modprobe.d/blacklist-gre.conf
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.