CVE-2025-22055: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] <TASK> [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies.
AI Analysis
Technical Summary
CVE-2025-22055 is a vulnerability in the Linux kernel's handling of the Geneve (Generic Network Virtualization Encapsulation) protocol options. Specifically, the vulnerability arises from an integer overflow in the length field of geneve_opt structures. Each geneve_opt uses a 5-bit length field to specify the size of an option, limiting it to less than 128 bytes. However, the Netlink policies that govern these options do not enforce this length restriction properly. An attacker can craft a Geneve option exactly 128 bytes in size, which causes the length field to wrap around and appear as zero. This misrepresentation confuses the kernel's parsing logic, leading to a heap out-of-bounds read. The vulnerability was demonstrated by a kernel crash with KASAN (Kernel Address Sanitizer) detecting a slab-out-of-bounds read during the nla_put function, which is involved in Netlink attribute handling. The issue occurs during the processing of tunnel key dumps and traffic control filter actions, indicating that the vulnerability can be triggered via Netlink messages related to network tunneling and filtering. The root cause is the lack of proper validation of the geneve_opt length in Netlink policies, allowing malformed options to bypass checks and cause memory corruption. The fix involves enforcing the correct length condition in the related Netlink policies to prevent oversized options from being accepted. This vulnerability affects Linux kernel versions prior to the fix applied in version 6.1.132 and potentially others in the 6.x series. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based infrastructure for network virtualization, cloud services, and container orchestration. The Geneve protocol is commonly used in modern data centers and cloud environments to encapsulate network traffic for virtualized workloads. Exploitation of this vulnerability could allow an attacker with the ability to send crafted Netlink messages to cause a kernel crash (denial of service) or potentially read out-of-bounds kernel memory, which may lead to information disclosure or further exploitation. This could impact the confidentiality and availability of critical systems. Organizations running Linux servers as network gateways, virtualized environments, or cloud platforms could face service disruptions or data leaks. Given the kernel-level nature of the flaw, successful exploitation could undermine system integrity and stability. The lack of authentication requirements for sending Netlink messages in some configurations increases the risk, especially in multi-tenant or shared environments. The vulnerability is particularly relevant for sectors with high reliance on Linux networking stacks, such as telecommunications, cloud service providers, financial institutions, and critical infrastructure operators in Europe.
Mitigation Recommendations
1. Immediate patching: Apply the Linux kernel update that includes the fix for CVE-2025-22055 as soon as it becomes available, particularly kernel version 6.1.132 or later. 2. Network segmentation: Restrict access to Netlink interfaces to trusted users and processes only. Limit the ability to send Netlink messages related to tunnel and traffic control configurations to privileged and authenticated entities. 3. Monitoring and detection: Implement kernel-level monitoring tools that can detect abnormal Netlink message patterns or crashes related to geneve_opt processing. Use KASAN or similar sanitizers in testing environments to identify potential exploitation attempts. 4. Harden container and virtualization environments: Ensure that container runtimes and virtual machine managers do not expose Netlink interfaces unnecessarily to untrusted workloads. 5. Access control: Enforce strict user and process permissions to prevent unprivileged users from crafting malicious Netlink messages. 6. Incident response readiness: Prepare for potential denial-of-service incidents by having failover and recovery plans for critical Linux-based network infrastructure. 7. Vendor coordination: Coordinate with Linux distribution vendors for timely patch deployment and verify kernel versions in use across the organization.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-22055: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] <TASK> [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies.
AI-Powered Analysis
Technical Analysis
CVE-2025-22055 is a vulnerability in the Linux kernel's handling of the Geneve (Generic Network Virtualization Encapsulation) protocol options. Specifically, the vulnerability arises from an integer overflow in the length field of geneve_opt structures. Each geneve_opt uses a 5-bit length field to specify the size of an option, limiting it to less than 128 bytes. However, the Netlink policies that govern these options do not enforce this length restriction properly. An attacker can craft a Geneve option exactly 128 bytes in size, which causes the length field to wrap around and appear as zero. This misrepresentation confuses the kernel's parsing logic, leading to a heap out-of-bounds read. The vulnerability was demonstrated by a kernel crash with KASAN (Kernel Address Sanitizer) detecting a slab-out-of-bounds read during the nla_put function, which is involved in Netlink attribute handling. The issue occurs during the processing of tunnel key dumps and traffic control filter actions, indicating that the vulnerability can be triggered via Netlink messages related to network tunneling and filtering. The root cause is the lack of proper validation of the geneve_opt length in Netlink policies, allowing malformed options to bypass checks and cause memory corruption. The fix involves enforcing the correct length condition in the related Netlink policies to prevent oversized options from being accepted. This vulnerability affects Linux kernel versions prior to the fix applied in version 6.1.132 and potentially others in the 6.x series. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based infrastructure for network virtualization, cloud services, and container orchestration. The Geneve protocol is commonly used in modern data centers and cloud environments to encapsulate network traffic for virtualized workloads. Exploitation of this vulnerability could allow an attacker with the ability to send crafted Netlink messages to cause a kernel crash (denial of service) or potentially read out-of-bounds kernel memory, which may lead to information disclosure or further exploitation. This could impact the confidentiality and availability of critical systems. Organizations running Linux servers as network gateways, virtualized environments, or cloud platforms could face service disruptions or data leaks. Given the kernel-level nature of the flaw, successful exploitation could undermine system integrity and stability. The lack of authentication requirements for sending Netlink messages in some configurations increases the risk, especially in multi-tenant or shared environments. The vulnerability is particularly relevant for sectors with high reliance on Linux networking stacks, such as telecommunications, cloud service providers, financial institutions, and critical infrastructure operators in Europe.
Mitigation Recommendations
1. Immediate patching: Apply the Linux kernel update that includes the fix for CVE-2025-22055 as soon as it becomes available, particularly kernel version 6.1.132 or later. 2. Network segmentation: Restrict access to Netlink interfaces to trusted users and processes only. Limit the ability to send Netlink messages related to tunnel and traffic control configurations to privileged and authenticated entities. 3. Monitoring and detection: Implement kernel-level monitoring tools that can detect abnormal Netlink message patterns or crashes related to geneve_opt processing. Use KASAN or similar sanitizers in testing environments to identify potential exploitation attempts. 4. Harden container and virtualization environments: Ensure that container runtimes and virtual machine managers do not expose Netlink interfaces unnecessarily to untrusted workloads. 5. Access control: Enforce strict user and process permissions to prevent unprivileged users from crafting malicious Netlink messages. 6. Incident response readiness: Prepare for potential denial-of-service incidents by having failover and recovery plans for critical Linux-based network infrastructure. 7. Vendor coordination: Coordinate with Linux distribution vendors for timely patch deployment and verify kernel versions in use across the organization.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.811Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7f5b
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 8:40:47 PM
Last updated: 7/29/2025, 7:21:49 PM
Views: 15
Related Threats
CVE-2025-8967: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-54867: CWE-61: UNIX Symbolic Link (Symlink) Following in youki-dev youki
HighCVE-2025-8966: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8965: Unrestricted Upload in linlinjava litemall
MediumCVE-2025-36047: CWE-770 Allocation of Resources Without Limits or Throttling in IBM WebSphere Application Server Liberty
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.