{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38572","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.025Z","datePublished":"2025-08-19T17:02:52.340Z","dateUpdated":"2026-05-11T21:30:41.304Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:30:41.304Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: reject malicious packets in ipv6_gso_segment()\n\nsyzbot was able to craft a packet with very long IPv6 extension headers\nleading to an overflow of skb->transport_header.\n\nThis 16bit field has a limited range.\n\nAdd skb_reset_transport_header_careful() helper and use it\nfrom ipv6_gso_segment()\n\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nModules linked in:\nCPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\n RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nCall Trace:\n <TASK>\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  __skb_gso_segment+0x342/0x510 net/core/gso.c:124\n  skb_gso_segment include/net/gso.h:83 [inline]\n  validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950\n  validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000\n  sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329\n  __dev_xmit_skb net/core/dev.c:4102 [inline]\n  __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/skbuff.h","net/ipv6/ip6_offload.c"],"versions":[{"version":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09","lessThan":"5dc60b2a00ed7629214ac0c48e43f40af2078703","status":"affected","versionType":"git"},{"version":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09","lessThan":"3f638e0b28bde7c3354a0df938ab3a96739455d1","status":"affected","versionType":"git"},{"version":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09","lessThan":"09ff062b89d8e48165247d677d1ca23d6d607e9b","status":"affected","versionType":"git"},{"version":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09","lessThan":"de322cdf600fc9433845a9e944d1ca6b31cfb67e","status":"affected","versionType":"git"},{"version":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09","lessThan":"ef05007b403dcc21e701cb1f30d4572ac0a9da20","status":"affected","versionType":"git"},{"version":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09","lessThan":"5489e7fc6f8be3062f8cb7e49406de4bfd94db67","status":"affected","versionType":"git"},{"version":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09","lessThan":"573b8250fc2554761db3bc2bbdbab23789d52d4e","status":"affected","versionType":"git"},{"version":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09","lessThan":"ee851768e4b8371ce151fd446d24bf3ae2d18789","status":"affected","versionType":"git"},{"version":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09","lessThan":"d45cf1e7d7180256e17c9ce88e32e8061a7887fe","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/skbuff.h","net/ipv6/ip6_offload.c"],"versions":[{"version":"3.8","status":"affected"},{"version":"0","lessThan":"3.8","status":"unaffected","versionType":"semver"},{"version":"5.4.297","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.241","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.148","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.102","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.42","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.10","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.4.297"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.10.241"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"6.1.148"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"6.6.102"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"6.12.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"6.15.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703"},{"url":"https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1"},{"url":"https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b"},{"url":"https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e"},{"url":"https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20"},{"url":"https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67"},{"url":"https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e"},{"url":"https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789"},{"url":"https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe"}],"title":"ipv6: reject malicious packets in ipv6_gso_segment()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:39:59.107Z"}}]}}