CVE-2025-39770 in Linux
Summary
by MITRE • 09/11/2025
In the Linux kernel, the following vulnerability has been resolved:
net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM
When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has a strict contract: it supports checksum offload only for plain TCP or UDP over IPv6 and explicitly does not support packets with extension headers. The current GSO logic violates this contract by failing to disable the feature for packets with extension headers, such as those used in GREoIPv6 tunnels.
This violation results in the device being asked to perform an operation it cannot support, leading to a `skb_warn_bad_offload` warning and a collapse of network throughput. While device TSO/USO is correctly bypassed in favor of software GSO for these packets, the GSO stack must be explicitly told not to request checksum offload.
Mask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4 in gso_features_check if the IPv6 header contains extension headers to compute checksum in software.
The exception is a BIG TCP extension, which, as stated in commit 68e068cabd2c6c53 ("net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets"): "The feature is only enabled on devices that support BIG TCP TSO. The header is only present for PF_PACKET taps like tcpdump, and not transmitted by physical devices."
kernel log output (truncated): WARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140 ... Call Trace: <TASK> skb_checksum_help+0x12a/0x1f0 validate_xmit_skb+0x1a3/0x2d0 validate_xmit_skb_list+0x4f/0x80 sch_direct_xmit+0x1a2/0x380 __dev_xmit_skb+0x242/0x670 __dev_queue_xmit+0x3fc/0x7f0 ip6_finish_output2+0x25e/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]
ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]
dev_hard_start_xmit+0x63/0x1c0 __dev_queue_xmit+0x6d0/0x7f0 ip6_finish_output2+0x214/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 inet6_csk_xmit+0xeb/0x150 __tcp_transmit_skb+0x555/0xa80 tcp_write_xmit+0x32a/0xe90 tcp_sendmsg_locked+0x437/0x1110 tcp_sendmsg+0x2f/0x50 ... skb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e skb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00 skb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00 skb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00 skb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00 skb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00 skb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9 skb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01 skb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/24/2026
The vulnerability identified as CVE-2025-39770 resides within the Linux kernel's networking subsystem, specifically impacting how Generic Segmentation Offload (GSO) handles IPv6 packets containing extension headers. This flaw manifests when the kernel attempts to perform TSO (TCP Segmentation Offload) on IPv6 packets that include extension headers such as those used in GRE over IPv6 tunnels. The root cause lies in a violation of the contract associated with the NETIF_F_IPV6_CSUM feature flag, which explicitly states that checksum offload is only supported for plain TCP or UDP over IPv6 without extension headers. When GSO processes such packets, it incorrectly enables checksum offload even though the underlying network device does not support this operation for packets with extensions, resulting in a skb_warn_bad_offload warning and significant degradation in network throughput. The kernel's current implementation fails to properly disable the feature for these specific packet types, creating a mismatch between the expected and actual capabilities of the network interface.
The technical implementation of this vulnerability stems from the gso_features_check function which does not adequately evaluate whether IPv6 packets with extension headers should be permitted to use hardware checksum offload. The kernel's network stack correctly bypasses TSO/USO in favor of software GSO for these problematic packets, but the GSO subsystem itself must be explicitly instructed to avoid requesting checksum offload operations that the device cannot perform. This misconfiguration leads to a cascade of kernel warnings and performance degradation, as evidenced by the call trace showing functions such as skb_checksum_help and validate_xmit_skb being invoked inappropriately. The specific scenario involves GREoIPv6 tunneling where the IPv6 header contains extension headers that are not supported by devices advertising only NETIF_F_IPV6_CSUM capability, yet the kernel's GSO logic does not properly account for this limitation.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially compromising network reliability and throughput in environments utilizing IPv6 tunneling technologies. Systems running affected kernel versions may experience complete network throughput collapse when processing IPv6 packets with extension headers, particularly in scenarios involving GRE over IPv6 tunnels or other tunneling mechanisms that rely on IPv6 extension headers. The warning messages in kernel logs indicate that the system is attempting operations that the hardware cannot support, leading to a degradation in network performance that can manifest as dropped packets, increased latency, or complete network paralysis. Organizations using IPv6-based tunneling solutions or those operating in environments where network throughput is critical must consider this vulnerability as a potential threat to operational continuity, especially in high-throughput networking environments such as data centers or network infrastructure routers.
Mitigation strategies for CVE-2025-39770 involve patching the kernel to properly mask the NETIF_F_IPV6_CSUM, NETIF_F_TSO6, and NETIF_F_GSO_UDP_L4 features when IPv6 packets contain extension headers, forcing the system to compute checksums in software rather than attempting hardware offload operations that the device cannot support. The fix implements a check within the gso_features_check function to disable these features for IPv6 packets with extension headers, with the exception of BIG TCP extensions which have specific support requirements. This aligns with the ATT&CK framework's network defense evasion techniques, as the vulnerability represents a failure in network stack validation that could be exploited to degrade system performance or availability. Organizations should prioritize kernel updates that include this fix, particularly those operating IPv6 tunneling infrastructure, and monitor for the specific warning messages indicating bad offload operations. The solution also references CWE-119, which addresses improper restriction of operations within a recognized security boundary, as the vulnerability stems from insufficient validation of network device capabilities against packet header characteristics.