CVE-2025-37959: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be "misused" in another namespace. As one example, this is causing Cilium to drop traffic when using bpf_redirect_peer to redirect packets that just went through IPsec decryption to a container namespace. The following pwru trace shows (1) the packet path from the host's XFRM layer to the container's XFRM layer where it's dropped and (2) the number of active skb extensions at each function. NETNS MARK IFACE TUPLE FUNC 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive .active_extensions = (__u8)2, [...] 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core .active_extensions = (__u8)2, [...] 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY) .active_extensions = (__u8)2, In this case, there are no XFRM policies in the container's network namespace so the drop is unexpected. When we decrypt the IPsec packet, the XFRM state used for decryption is set in the skb extensions. This information is preserved across the netns switch. When we reach the XFRM policy check in the container's netns, __xfrm_policy_check drops the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM policy can't be found that matches the (host-side) XFRM state used for decryption. This patch fixes this by scrubbing the packet when using bpf_redirect_peer, as is done on typical netns switches via veth devices except skb->mark and skb->tstamp are not zeroed.
AI Analysis
Technical Summary
CVE-2025-37959 is a vulnerability in the Linux kernel related to the handling of packet redirection across network namespaces using the eBPF helper function bpf_redirect_peer. Specifically, when bpf_redirect_peer redirects packets to a device in another network namespace, the socket buffer (skb) is not properly scrubbed. This improper scrubbing allows skb metadata, including extensions related to IPsec decryption states, to leak from one network namespace to another. The vulnerability manifests in scenarios such as containerized environments using Cilium for networking, where packets decrypted by IPsec on the host namespace are redirected to a container namespace. Because the skb retains host-side XFRM (transform) state information, the container namespace's XFRM policy check fails to find a matching policy, leading to unexpected packet drops. This behavior can disrupt network traffic flow and potentially cause denial of service within containerized or multi-tenant environments relying on network namespaces and IPsec. The patch for this vulnerability involves scrubbing the skb metadata during bpf_redirect_peer operations, similar to the scrubbing done during typical network namespace switches via veth devices, except that skb->mark and skb->tstamp are preserved. This fix prevents leakage of sensitive skb state information across namespaces, ensuring proper isolation and correct packet processing. The vulnerability affects Linux kernel versions identified by the commit hash 9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 and was published on May 20, 2025. No known exploits are reported in the wild at this time, and no CVSS score has been assigned.
Potential Impact
For European organizations, especially those deploying containerized applications using Kubernetes with Cilium or similar networking solutions, this vulnerability poses a risk of network disruption and denial of service. The leakage of skb metadata across network namespaces can cause legitimate traffic to be dropped unexpectedly, impacting application availability and reliability. Organizations relying on IPsec for secure communication within or between containers may experience degraded network performance or failures in packet delivery. This can affect cloud service providers, telecom operators, financial institutions, and enterprises with critical containerized workloads. Additionally, the vulnerability undermines network namespace isolation, which is fundamental for multi-tenant environments, potentially increasing the attack surface if combined with other vulnerabilities. While no direct data confidentiality or integrity compromise is indicated, the disruption of network traffic can have cascading effects on business operations and service-level agreements. The lack of known exploits suggests a window for proactive patching to prevent future exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2025-37959. Specifically, kernel versions incorporating the commit identified by hash 9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 or later should be deployed. For environments using Cilium or similar eBPF-based networking solutions, verify that the networking stack is compatible with the patched kernel and test thoroughly in staging before production rollout. Network administrators should audit their use of bpf_redirect_peer and related eBPF programs to ensure they do not rely on unpatched kernel behavior. Additionally, monitoring network namespaces for unexpected packet drops or anomalies in IPsec traffic can help detect issues related to this vulnerability. Employing strict network namespace isolation policies and minimizing cross-namespace packet redirection where possible reduces exposure. Finally, maintain up-to-date incident response plans to address potential network disruptions stemming from this or related vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2025-37959: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be "misused" in another namespace. As one example, this is causing Cilium to drop traffic when using bpf_redirect_peer to redirect packets that just went through IPsec decryption to a container namespace. The following pwru trace shows (1) the packet path from the host's XFRM layer to the container's XFRM layer where it's dropped and (2) the number of active skb extensions at each function. NETNS MARK IFACE TUPLE FUNC 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive .active_extensions = (__u8)2, [...] 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core .active_extensions = (__u8)2, [...] 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY) .active_extensions = (__u8)2, In this case, there are no XFRM policies in the container's network namespace so the drop is unexpected. When we decrypt the IPsec packet, the XFRM state used for decryption is set in the skb extensions. This information is preserved across the netns switch. When we reach the XFRM policy check in the container's netns, __xfrm_policy_check drops the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM policy can't be found that matches the (host-side) XFRM state used for decryption. This patch fixes this by scrubbing the packet when using bpf_redirect_peer, as is done on typical netns switches via veth devices except skb->mark and skb->tstamp are not zeroed.
AI-Powered Analysis
Technical Analysis
CVE-2025-37959 is a vulnerability in the Linux kernel related to the handling of packet redirection across network namespaces using the eBPF helper function bpf_redirect_peer. Specifically, when bpf_redirect_peer redirects packets to a device in another network namespace, the socket buffer (skb) is not properly scrubbed. This improper scrubbing allows skb metadata, including extensions related to IPsec decryption states, to leak from one network namespace to another. The vulnerability manifests in scenarios such as containerized environments using Cilium for networking, where packets decrypted by IPsec on the host namespace are redirected to a container namespace. Because the skb retains host-side XFRM (transform) state information, the container namespace's XFRM policy check fails to find a matching policy, leading to unexpected packet drops. This behavior can disrupt network traffic flow and potentially cause denial of service within containerized or multi-tenant environments relying on network namespaces and IPsec. The patch for this vulnerability involves scrubbing the skb metadata during bpf_redirect_peer operations, similar to the scrubbing done during typical network namespace switches via veth devices, except that skb->mark and skb->tstamp are preserved. This fix prevents leakage of sensitive skb state information across namespaces, ensuring proper isolation and correct packet processing. The vulnerability affects Linux kernel versions identified by the commit hash 9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 and was published on May 20, 2025. No known exploits are reported in the wild at this time, and no CVSS score has been assigned.
Potential Impact
For European organizations, especially those deploying containerized applications using Kubernetes with Cilium or similar networking solutions, this vulnerability poses a risk of network disruption and denial of service. The leakage of skb metadata across network namespaces can cause legitimate traffic to be dropped unexpectedly, impacting application availability and reliability. Organizations relying on IPsec for secure communication within or between containers may experience degraded network performance or failures in packet delivery. This can affect cloud service providers, telecom operators, financial institutions, and enterprises with critical containerized workloads. Additionally, the vulnerability undermines network namespace isolation, which is fundamental for multi-tenant environments, potentially increasing the attack surface if combined with other vulnerabilities. While no direct data confidentiality or integrity compromise is indicated, the disruption of network traffic can have cascading effects on business operations and service-level agreements. The lack of known exploits suggests a window for proactive patching to prevent future exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2025-37959. Specifically, kernel versions incorporating the commit identified by hash 9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 or later should be deployed. For environments using Cilium or similar eBPF-based networking solutions, verify that the networking stack is compatible with the patched kernel and test thoroughly in staging before production rollout. Network administrators should audit their use of bpf_redirect_peer and related eBPF programs to ensure they do not rely on unpatched kernel behavior. Additionally, monitoring network namespaces for unexpected packet drops or anomalies in IPsec traffic can help detect issues related to this vulnerability. Employing strict network namespace isolation policies and minimizing cross-namespace packet redirection where possible reduces exposure. Finally, maintain up-to-date incident response plans to address potential network disruptions stemming from this or related vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.974Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeae89
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/3/2025, 6:57:29 PM
Last updated: 7/30/2025, 6:58:59 PM
Views: 9
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.