CVE-2025-71085
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
13/01/2026
Last modified:
14/01/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()<br />
<br />
There exists a kernel oops caused by a BUG_ON(nhead INT_MAX<br />
(i.e. (int)(skb_headroom(skb) + len_delta) skb_headroom(skb)) is meant to ensure<br />
that delta = headroom - skb_headroom(skb) is never negative, otherwise<br />
we will trigger a BUG_ON in pskb_expand_head(). However, if<br />
headroom > INT_MAX and delta cmsg_len = cmsg_len;<br />
cmsg->cmsg_level = IPPROTO_IPV6;<br />
cmsg->cmsg_type = IPV6_HOPOPTS;<br />
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);<br />
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80<br />
<br />
sendmsg(fd, &msg, 0);
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1
- https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83
- https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570
- https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24
- https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0