CVE-2025-21768 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels
Some lwtunnels have a dst cache for post-transformation dst. If the packet destination did not change we may end up recording a reference to the lwtunnel in its own cache, and the lwtunnel state will never be freed.
Discovered by the ioam6.sh test, kmemleak was recently fixed to catch per-cpu memory leaks. I'm not sure if rpl and seg6 can actually hit this, but in principle I don't see why not.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability described in CVE-2025-21768 represents a critical memory management flaw within the Linux kernel's IPv6 networking stack, specifically affecting lightweight tunnels or lwtunnels. This issue manifests in the handling of destination caching mechanisms within the routing protocol for IPv6 packets, where certain tunnel implementations maintain references to their own destination cache entries. The flaw occurs when packets undergo transformations through these tunnel mechanisms without altering their final destination address, creating a circular reference scenario that prevents proper memory cleanup and resource deallocation.
The technical implementation of this vulnerability stems from the kernel's approach to caching destination information for post-transformation packet routing. When lwtunnels process IPv6 packets, they maintain a destination cache to optimize subsequent packet handling. However, in scenarios where the packet's ultimate destination remains unchanged after tunnel processing, the system incorrectly records a reference to the tunnel's own cache entry, creating a self-referential loop. This circular dependency prevents the kernel's memory management subsystem from properly releasing the tunnel state structures, leading to persistent memory leaks that accumulate over time.
The operational impact of this vulnerability extends beyond simple memory consumption issues, as it can lead to system instability and performance degradation in environments heavily reliant on IPv6 tunneling mechanisms. Network services utilizing routing protocol lwtunnels, segment routing with ipv6, and ipv6 encapsulation with active ioam6 processing are particularly at risk. The vulnerability affects systems where these specific tunnel types are actively used for network traffic management, potentially leading to resource exhaustion and denial of service conditions. The discovery through the ioam6.sh test indicates that the issue is particularly prevalent in environments employing IPv6 operations and monitoring capabilities.
This vulnerability aligns with CWE-401, which specifically addresses improper handling of memory allocation and deallocation, and demonstrates characteristics consistent with the ATT&CK technique T1499.004, which involves resource exhaustion through memory leaks. The memory leak occurs at the kernel level in the networking subsystem, making it particularly dangerous as it can affect system stability and potentially provide an attack vector for resource exhaustion attacks. The issue is exacerbated by the fact that the kernel's memory leak detection mechanisms, such as kmemleak, have recently been enhanced to catch per-cpu memory leaks, which is why this specific vulnerability was identified and resolved. The potential for this flaw to affect both rpl and seg6 tunnel implementations, though not definitively confirmed, suggests a broader impact across multiple IPv6 routing mechanisms within the Linux kernel networking stack.