CVE-2025-38572 - Vulnerability Details

- ipv6: reject malicious packets in ipv6_gso_segment()

Description

In the Linux kernel, the following vulnerability has been resolved:

ipv6: reject malicious packets in ipv6_gso_segment()

syzbot was able to craft a packet with very long IPv6 extension headers
leading to an overflow of skb->transport_header.

This 16bit field has a limited range.

Add skb_reset_transport_header_careful() helper and use it
from ipv6_gso_segment()

WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Modules linked in:
CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Call Trace:
<TASK>
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
__skb_gso_segment+0x342/0x510 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950
validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000
sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329
__dev_xmit_skb net/core/dev.c:4102 [inline]
__dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679

Published: 2025-08-19

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d1da932ed4ecad2a14cbcc01ed589d617d0f0f09`	affected	< 5dc60b2a00ed7629214ac0c48e43f40af2078703
`d1da932ed4ecad2a14cbcc01ed589d617d0f0f09`	affected	< 3f638e0b28bde7c3354a0df938ab3a96739455d1
`d1da932ed4ecad2a14cbcc01ed589d617d0f0f09`	affected	< 09ff062b89d8e48165247d677d1ca23d6d607e9b
`d1da932ed4ecad2a14cbcc01ed589d617d0f0f09`	affected	< de322cdf600fc9433845a9e944d1ca6b31cfb67e
`d1da932ed4ecad2a14cbcc01ed589d617d0f0f09`	affected	< ef05007b403dcc21e701cb1f30d4572ac0a9da20
`d1da932ed4ecad2a14cbcc01ed589d617d0f0f09`	affected	< 5489e7fc6f8be3062f8cb7e49406de4bfd94db67
`d1da932ed4ecad2a14cbcc01ed589d617d0f0f09`	affected	< 573b8250fc2554761db3bc2bbdbab23789d52d4e
`d1da932ed4ecad2a14cbcc01ed589d617d0f0f09`	affected	< ee851768e4b8371ce151fd446d24bf3ae2d18789
`d1da932ed4ecad2a14cbcc01ed589d617d0f0f09`	affected	< d45cf1e7d7180256e17c9ce88e32e8061a7887fe

Linux

affected

Version	Status	Constraints
`3.8`	affected	—
`0`	unaffected	< 3.8
`5.4.297`	unaffected	≤ 5.4.*
`5.10.241`	unaffected	≤ 5.10.*
`5.15.190`	unaffected	≤ 5.15.*
`6.1.148`	unaffected	≤ 6.1.*
`6.6.102`	unaffected	≤ 6.6.*
`6.12.42`	unaffected	≤ 6.12.*
`6.15.10`	unaffected	≤ 6.15.*
`6.16.1`	unaffected	≤ 6.16.*
`6.17`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Linux	Linux Kernel	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4327-1	linux security update
Debian DLA	DLA-4328-1	linux-6.1 security update
EUVD	EUVD-2025-26102	In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679
Ubuntu USN	USN-7879-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7879-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7880-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-7879-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7909-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7879-4	Linux kernel vulnerabilities
Ubuntu USN	USN-7909-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7909-3	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7910-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7909-4	Linux kernel vulnerabilities
Ubuntu USN	USN-7910-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7909-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7933-1	Linux kernel (KVM) vulnerabilities
Ubuntu USN	USN-7934-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7938-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8028-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8028-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8031-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-8028-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8028-4	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8028-5	Linux kernel vulnerabilities
Ubuntu USN	USN-8031-2	Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN	USN-8028-6	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-8031-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8052-1	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-8028-7	Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN	USN-8028-8	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-8052-2	Linux kernel (Xilinx) vulnerabilities
Ubuntu USN	USN-8074-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8074-2	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8126-1	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b
https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1
https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67
https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e
https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703
https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe
https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e
https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789
https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
https://lore.kernel.org/linux-cve-announce/2025081910-CVE-2025-38572-200b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-38572
https://www.cve.org/CVERecord?id=CVE-2025-38572

History

Fri, 09 Jan 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Debian Debian debian Linux
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 03 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Thu, 28 Aug 2025 14:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1 https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703

Thu, 21 Aug 2025 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Vendors & Products		Linux Linux linux Kernel

Wed, 20 Aug 2025 00:30:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025081910-CVE-2025-38572-200b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-38572 https://www.cve.org/CVERecord?id=CVE-2025-38572
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Tue, 19 Aug 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679
Title		ipv6: reject malicious packets in ipv6_gso_segment()
References		https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67 https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789 https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20

Subscriptions

Debian Debian Linux

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-08-19T17:02:52.340Z

Updated: 2026-05-11T21:30:41.304Z

Reserved: 2025-04-16T04:51:24.025Z

Link: CVE-2025-38572

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2025-08-19T17:15:34.117

Modified: 2026-01-09T13:53:12.667

Link: CVE-2025-38572

Redhat

Severity : Moderate

Publid Date: 2025-08-19T00:00:00Z

Links: CVE-2025-38572 - Bugzilla

OpenCVE Enrichment

Updated: 2025-08-21T12:31:54Z

Weaknesses

NVD-CWE-noinfo

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object