CVE-2025-22055 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
net: fix geneve_opt length integer overflow
struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes.
However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read.
One example crash log is like below:
[ 3.905425] ==================================================================
[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0
[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177
[ 3.906646]
[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1
[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 3.907784] Call Trace:
[ 3.907925] <TASK>
[ 3.908048] dump_stack_lvl+0x44/0x5c
[ 3.908258] print_report+0x184/0x4be
[ 3.909151] kasan_report+0xc5/0x100
[ 3.909539] kasan_check_range+0xf3/0x1a0
[ 3.909794] memcpy+0x1f/0x60
[ 3.909968] nla_put+0xa9/0xe0
[ 3.910147] tunnel_key_dump+0x945/0xba0
[ 3.911536] tcf_action_dump_1+0x1c1/0x340
[ 3.912436] tcf_action_dump+0x101/0x180
[ 3.912689] tcf_exts_dump+0x164/0x1e0
[ 3.912905] fw_dump+0x18b/0x2d0
[ 3.913483] tcf_fill_node+0x2ee/0x460
[ 3.914778] tfilter_notify+0xf4/0x180
[ 3.915208] tc_new_tfilter+0xd51/0x10d0
[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560
[ 3.919118] netlink_rcv_skb+0xcd/0x200
[ 3.919787] netlink_unicast+0x395/0x530
[ 3.921032] netlink_sendmsg+0x3d0/0x6d0
[ 3.921987] __sock_sendmsg+0x99/0xa0
[ 3.922220] __sys_sendto+0x1b7/0x240
[ 3.922682] __x64_sys_sendto+0x72/0x90
[ 3.922906] do_syscall_64+0x5e/0x90
[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 3.924122] RIP: 0033:0x7e83eab84407
[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407
[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003
[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c
[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0
[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8
Fix these issues by enforing correct length condition in related policies.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability CVE-2025-22055 resides within the Linux kernel's implementation of the Generic Network Virtualization Encapsulation (GENEVE) protocol, specifically in how it handles option length validation. The GENEVE protocol utilizes a 5-bit field to encode the length of each option, which inherently limits individual options to a maximum size of 31 bytes. This constraint is critical for maintaining memory safety during packet parsing operations. However, the kernel's Netlink policy implementations fail to enforce this limitation, creating a scenario where an attacker can craft a 128-byte option that appears to be a zero-length option to the parser. This misrepresentation leads to a heap out-of-bounds read condition as the parsing logic incorrectly interprets the data, resulting in memory access violations. The vulnerability manifests through kernel memory corruption, as demonstrated by the KASAN (Kernel Address Sanitizer) crash report showing a slab-out-of-bounds read of 124 bytes at address ffff888005f291cc. The call stack traces indicate the issue originates from the nla_put function, which is part of the Netlink attribute handling mechanism, and propagates through various kernel subsystems including tunnel key dumping and traffic control filtering operations. This flaw directly maps to CWE-129, which describes improper validation of array indices, and CWE-131, which covers incorrect calculation of buffer or array size. The attack vector leverages the ATT&CK technique T1059.007, specifically command and script interpreter for execution, by enabling an attacker to exploit the kernel memory corruption to potentially execute arbitrary code or cause a denial of service. The root cause lies in the insufficient validation of the GENEVE option length field within Netlink policy enforcement, allowing malformed data to bypass normal parsing checks. The fix requires strengthening the Netlink policy validation to ensure that all GENEVE options adhere to the 31-byte limit enforced by the 5-bit length field. This enforcement prevents the exploitation of the zero-length option faking technique that leads to heap corruption, thereby maintaining kernel memory integrity and preventing unauthorized access to kernel memory regions. The vulnerability represents a critical security risk for systems running Linux kernels that support GENEVE encapsulation, particularly those involved in network virtualization, container networking, or traffic control operations where the affected protocol is actively used.