CVE-2025-71098 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
ip6_gre: make ip6gre_header() robust
Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1].
This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device.
[1]
skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability CVE-2025-71098 affects the Linux kernel's handling of IPv6 GRE (Generic Routing Encapsulation) headers, specifically within the ip6gre_header() function located in net/ipv6/ip6_gre.c. This issue stems from inadequate robustness in how the kernel manages socket buffer (skb) headroom allocation when processing packets through team or bonding network drivers that dynamically adjust their device header requirements. The flaw manifests when network drivers modify dev->needed_headroom or dev->hard_header_len properties, creating a race condition or improper memory management scenario that leads to kernel panics and system instability.
The technical root cause involves a memory corruption scenario where mld_newpack() allocates an skb with insufficient headroom, and during subsequent processing by mld_sendpack(), syzbot successfully attaches an ip6gre device to the packet. This triggers a kernel BUG at net/core/skbuff.c:213, specifically in the skb_under_panic function, indicating that the packet buffer has been corrupted. The crash occurs during skb_push operations within ip6gre_header(), which attempts to manipulate the packet data pointer beyond the allocated buffer boundaries, leading to memory access violations. The stack trace reveals the execution path through device header processing, neighbor table output functions, and IPv6 packet output routines, ultimately failing in the multicast listener discovery (MLD) subsystem.
This vulnerability presents significant operational risks to Linux systems running kernel versions containing the affected code, particularly those utilizing team or bonding network configurations where dynamic header adjustments occur. The impact extends beyond simple system crashes to potential denial-of-service conditions that could affect network connectivity and overall system stability. Attackers could exploit this weakness by crafting specific network traffic patterns that trigger the race condition, potentially causing system-wide disruptions in environments relying on IPv6 multicast functionality or team/bonding network configurations.
Mitigation strategies should focus on updating to patched kernel versions that address the memory management issues in ip6gre_header() and related skb handling functions. Administrators should also implement monitoring for abnormal network behavior that might indicate exploitation attempts. The fix involves strengthening the validation of headroom requirements and ensuring proper buffer allocation before packet header manipulation. This vulnerability aligns with CWE-121, heap-based buffer overflow, and relates to ATT&CK technique T1499.004, Network Denial of Service, through its potential to cause system instability and service disruption. Organizations should prioritize patching, as the vulnerability's exploitation can lead to complete system compromise or availability loss in networked environments.