CVE-2025-22063 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
When calling netlbl_conn_setattr(), addr->sa_family is used to determine the function behavior. If sk is an IPv4 socket, but the connect function is called with an IPv6 address, the function calipso_sock_setattr() is triggered. Inside this function, the following code is executed:
sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;
Since sk is an IPv4 socket, pinet6 is NULL, leading to a null pointer dereference.
This patch fixes the issue by checking if inet6_sk(sk) returns a NULL pointer before accessing pinet6.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability CVE-2025-22063 represents a critical null pointer dereference flaw within the Linux kernel's netlabel subsystem, specifically affecting the CALIPSO protocol implementation. This issue manifests when network connections are established through IPv4 sockets but utilize IPv6 addresses, creating a mismatch that triggers erroneous code execution paths. The vulnerability resides in the netlbl_conn_setattr() function which incorrectly handles socket address family mismatches, leading to potential system instability and denial of service conditions.
The technical flaw occurs in the kernel's network labeling mechanism where CALIPSO (Common Architecture Label Policy Option) processing fails to properly validate socket state before accessing IPv6-specific socket structures. When an IPv4 socket attempts to connect using an IPv6 address, the calipso_sock_setattr() function is invoked but does not properly check whether the socket's IPv6 structure pointer is valid. The problematic code path executes sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL; where the kernel attempts to access the pinet6 member of an IPv4 socket structure that lacks this IPv6-specific component, resulting in a direct null pointer dereference.
This vulnerability directly impacts the kernel's network security and connectivity mechanisms, potentially allowing attackers to trigger system crashes or denial of service conditions through carefully crafted network connections. The flaw affects systems running Linux kernels with netlabel and CALIPSO support, particularly those handling mixed IPv4/IPv6 network traffic. The null pointer dereference can lead to kernel oops, system instability, and in extreme cases, complete system crashes that require manual rebooting, making this a significant security concern for network infrastructure and server environments.
The mitigation strategy involves implementing proper null pointer validation before accessing socket structure members, specifically checking inet6_sk(sk) return values before dereferencing the pinet6 pointer. This aligns with common security practices outlined in CWE-476, which addresses null pointer dereference vulnerabilities, and follows ATT&CK techniques related to privilege escalation and system stability compromise. System administrators should apply the kernel patches addressing this specific null pointer dereference and ensure comprehensive testing of network stack functionality in environments utilizing netlabel and CALIPSO protocols. The fix demonstrates proper defensive programming practices by validating pointer states before access, preventing the kernel from executing invalid memory operations that could be exploited by malicious actors.