CVE-2025-71098

MEDIUM EPSS 1.8%

Published Jan 13, 20265mo ago · Modified Jun 17, 20261w ago

5.5 CVSS 3.1

Medium

Published Jan 13, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693

CVSS Details

Base Score

5.5

Exploitability

1.8

Impact

3.6

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

1.8% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 15

Vendor	Product	Version	Range
linux	linux_kernel	*	≥3.7.1 – <5.10.248
linux	linux_kernel	*	≥5.11 – <5.15.198
linux	linux_kernel	*	≥5.16 – <6.1.160
linux	linux_kernel	*	≥6.2 – <6.6.120
linux	linux_kernel	*	≥6.7 – <6.12.64
linux	linux_kernel	*	≥6.13 – <6.18.4
linux	linux_kernel	3.7	any
linux	linux_kernel	6.19	any
linux	linux_kernel	6.19	any
linux	linux_kernel	6.19	any
linux	linux_kernel	6.19	any
linux	linux_kernel	6.19	any
linux	linux_kernel	6.19	any
linux	linux_kernel	6.19	any
linux	linux_kernel	6.19	any

References 7

git.kernel.org https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c

Patch
git.kernel.org https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2

Patch
git.kernel.org https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8

Patch
git.kernel.org https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60

Patch
git.kernel.org https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92

Patch
git.kernel.org https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e

Patch
git.kernel.org https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476

Patch

Remediation

git.kernel.org https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c

Patch
git.kernel.org https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2

Patch
git.kernel.org https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8

Patch
git.kernel.org https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60

Patch
git.kernel.org https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92

Patch
git.kernel.org https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e

Patch
git.kernel.org https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476

Patch