CVE-2025-71098

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ip6_gre: make ip6gre_header() robust<br /> <br /> Over the years, syzbot found many ways to crash the kernel<br /> in ip6gre_header() [1].<br /> <br /> This involves team or bonding drivers ability to dynamically<br /> change their dev-&gt;needed_headroom and/or dev-&gt;hard_header_len<br /> <br /> In this particular crash mld_newpack() allocated an skb<br /> with a too small reserve/headroom, and by the time mld_sendpack()<br /> was called, syzbot managed to attach an ip6gre device.<br /> <br /> [1]<br /> skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0<br /> ------------[ cut here ]------------<br /> kernel BUG at net/core/skbuff.c:213 !<br /> <br /> skb_under_panic net/core/skbuff.c:223 [inline]<br /> skb_push+0xc3/0xe0 net/core/skbuff.c:2641<br /> ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371<br /> dev_hard_header include/linux/netdevice.h:3436 [inline]<br /> neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618<br /> neigh_output include/net/neighbour.h:556 [inline]<br /> ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136<br /> __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]<br /> ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220<br /> NF_HOOK_COND include/linux/netfilter.h:307 [inline]<br /> ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247<br /> NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318<br /> mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855<br /> mld_send_cr net/ipv6/mcast.c:2154 [inline]<br /> mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693