CVE-2025-38572
- Source
- https://cve.org/CVERecord?id=CVE-2025-38572
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38572.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38572
- Downstream
- Related
- Published
- 2025-08-19T17:02:52.340Z
- Modified
- 2026-03-12T02:14:36.758026Z
- Summary
- ipv6: reject malicious packets in ipv6_gso_segment()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ipv6: reject malicious packets in ipv6gsosegment()
syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header.
This 16bit field has a limited range.
Add skbresettransportheadercareful() helper and use it from ipv6gsosegment()
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skbresettransportheader include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6gsosegment+0x15e2/0x21e0 net/ipv6/ip6offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skbresettransportheader include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6gsosegment+0x15e2/0x21e0 net/ipv6/ip6offload.c:151 Call Trace: <TASK> skbmacgsosegment+0x31c/0x640 net/core/gso.c:53 nshgsosegment+0x54a/0xe10 net/nsh/nsh.c:110 skbmacgsosegment+0x31c/0x640 net/core/gso.c:53 __skbgsosegment+0x342/0x510 net/core/gso.c:124 skbgsosegment include/net/gso.h:83 [inline] validatexmitskb+0x857/0x11b0 net/core/dev.c:3950 validatexmitskblist+0x84/0x120 net/core/dev.c:4000 schdirectxmit+0xd3/0x4b0 net/sched/schgeneric.c:329 __devxmitskb net/core/dev.c:4102 [inline] __devqueuexmit+0x17b6/0x3a70 net/core/dev.c:4679
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38572.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b
- https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1
- https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67
- https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e
- https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703
- https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe
- https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e
- https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789
- https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38572.json
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-38572
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd1da932ed4ecad2a14cbcc01ed589d617d0f0f09Fixed5dc60b2a00ed7629214ac0c48e43f40af2078703Fixed3f638e0b28bde7c3354a0df938ab3a96739455d1Fixed09ff062b89d8e48165247d677d1ca23d6d607e9bFixedde322cdf600fc9433845a9e944d1ca6b31cfb67eFixedef05007b403dcc21e701cb1f30d4572ac0a9da20Fixed5489e7fc6f8be3062f8cb7e49406de4bfd94db67Fixed573b8250fc2554761db3bc2bbdbab23789d52d4eFixedee851768e4b8371ce151fd446d24bf3ae2d18789Fixedd45cf1e7d7180256e17c9ce88e32e8061a7887fe