CVE-2025-38622 in Linux
Summary
by MITRE • 08/22/2025
In the Linux kernel, the following vulnerability has been resolved:
net: drop UFO packets in udp_rcv_segment()
When sending a packet with virtio_net_hdr to tun device, if the gso_type in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr size, below crash may happen.
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:4572! Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:skb_pull_rcsum+0x8e/0xa0 Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000 RSP: 0018:ffffc900001fba38 EFLAGS: 00000297 RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948 RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062 RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001 R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000 R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900 FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0 Call Trace: <TASK> udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445 udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475 udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626 __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690 ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233 ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579 ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636 ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670 __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067 netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210 napi_complete_done+0x78/0x180 net/core/dev.c:6580 tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909 tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984 vfs_write+0x300/0x420 fs/read_write.c:593 ksys_write+0x60/0xd0 fs/read_write.c:686 do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63 </TASK>
To trigger gso segment in udp_queue_rcv_skb(), we should also set option UDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv hook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try to pull udphdr, but the skb size has been segmented to gso size, which leads to this crash.
Previous commit cf329aa42b66 ("udp: cope with UDP GRO packet misdirection") introduces segmentation in UDP receive path only for GRO, which was never intended to be used for UFO, so drop UFO packets in udp_rcv_segment().
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/28/2026
The vulnerability CVE-2025-38622 resides within the Linux kernel's networking stack, specifically in the handling of UDP packets received through TUN devices. This flaw manifests when a packet with a virtio_net_hdr structure is sent to a TUN device where the gso_type field indicates SKB_GSO_UDP and the gso_size is smaller than the size of a UDP header. This condition leads to a kernel crash due to an invalid opcode execution, as evidenced by the oops trace showing a BUG at net/core/skbuff.c line 4572. The crash occurs during the processing of UDP packets in the receive path, specifically when the udp_queue_rcv_one_skb function attempts to handle GSO (Generic Segmentation Offload) segments. The issue is exacerbated when the UDP_ENCAP_ESPINUDP socket option is enabled, which activates the encap_rcv hook in the UDP stack. When this hook returns a value of 1, the udp_csum_pull_header function attempts to pull the UDP header from an skb whose size has already been reduced to the gso_size, causing a buffer underflow that triggers the kernel panic.
The technical root cause of this vulnerability stems from an improper handling of UFO (UDP Fragmentation Offload) packets within the UDP receive path. The kernel's UDP stack was designed to process GRO (Generic Receive Offload) segments correctly, but a previous commit introduced segmentation logic that inadvertently affected UFO packets as well. This cross-contamination occurs because the code path that handles GRO segmentation was not properly segregated from UFO processing, leading to an assumption that UFO packets should undergo the same segmentation logic. The flaw is particularly dangerous because it can be triggered through normal network operations involving TUN devices, making it exploitable in environments where such devices are used for virtualization or network tunneling. The vulnerability specifically affects the skb_pull_rcsum function which attempts to manipulate packet headers without proper bounds checking, resulting in memory access violations that crash the kernel.
This vulnerability has significant operational impact on systems running Linux kernels with TUN device support, particularly those utilizing virtualization environments or network tunneling protocols. The crash occurs during normal packet processing, meaning that any application or service that relies on UDP communication through TUN interfaces can potentially trigger this condition. Systems using virtio_net interfaces for virtual machine networking are especially at risk, as the vulnerability can be exploited through crafted UDP packets sent to TUN devices. The instability introduced by this flaw can lead to denial of service conditions, system crashes, and potential data loss in network applications. From an attacker perspective, this represents a reliable method for causing kernel panics, which could be used in DoS attacks against network services or in combination with other vulnerabilities to escalate privileges or gain unauthorized access to systems. The vulnerability aligns with CWE-129, which addresses improper validation of array indices, and maps to ATT&CK technique T1499.004, which involves network disruption through kernel-level attacks.
Mitigation strategies for CVE-2025-38622 involve immediate kernel updates to versions that include the fix for this vulnerability, which specifically drops UFO packets in the udp_rcv_segment() function to prevent the erroneous segmentation logic from being applied to packets that should not undergo such processing. System administrators should also consider implementing network segmentation and access controls to limit exposure to potentially malicious UDP traffic, particularly when TUN devices are in use. Monitoring network traffic for unusual patterns involving UDP packets with small gso_size values can help detect potential exploitation attempts. Additionally, disabling the UDP_ENCAP_ESPINUDP socket option where it is not strictly required can reduce the attack surface. Organizations should also implement robust kernel patch management processes to ensure all systems are updated promptly, as this vulnerability can be exploited remotely through network-based attacks. The fix implemented in the kernel ensures proper separation between GRO and UFO packet handling, preventing the invalid memory operations that lead to the kernel crash.