CVE-2025-51006 is a double free vulnerability identified in the tcpreplay suite, specifically within the tcprewrite utility. The flaw resides in the dlt_linuxsll2_cleanup() function located in plugins/dlt_linuxsll2/linuxsll2.c. The vulnerability occurs when the tcpedit_dlt_cleanup() function indirectly triggers the cleanup routine multiple times on the same memory region, leading to a double free condition. This memory management error can be exploited by a local attacker who supplies a specially crafted pcap file to the tcprewrite binary. The exploitation results in memory corruption that causes a Denial of Service (DoS) by crashing the application or potentially destabilizing the host system. Since tcpreplay tools are used for network traffic replay and packet manipulation, this vulnerability could disrupt network testing, forensic analysis, or other network-related operations relying on these tools. The vulnerability requires local access to the system to execute the crafted pcap file, and there is no indication of remote exploitation or user interaction beyond running the vulnerable binary with malicious input. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date.

For European organizations, the primary impact of this vulnerability is operational disruption. Organizations that use tcpreplay tools for network testing, security research, or forensic investigations may experience service interruptions or crashes when processing maliciously crafted pcap files. This could delay incident response, network diagnostics, or security assessments. While the vulnerability does not appear to allow privilege escalation or remote code execution, the DoS condition could be leveraged by an insider or attacker with local access to degrade system availability. In environments where tcpreplay is integrated into automated workflows or continuous security validation pipelines, this vulnerability could cause cascading failures or impact the reliability of network security controls. The risk is heightened in organizations with less stringent access controls or where untrusted users have the ability to execute tcprewrite. However, the lack of remote exploitability limits the threat to local or internal actors rather than external attackers.

To mitigate this vulnerability, European organizations should first identify all systems where tcpreplay and specifically tcprewrite are installed and used. Immediate steps include restricting execution of tcprewrite to trusted administrators and users only, enforcing strict access controls on pcap files, and validating input files before processing. Organizations should monitor vendor advisories for patches or updates addressing this vulnerability and apply them promptly once available. In the interim, consider disabling or removing tcprewrite from production or critical systems if not essential. Additionally, implement application whitelisting and endpoint protection measures to prevent unauthorized execution of crafted pcap files. Security teams should audit and monitor logs for crashes or unusual behavior related to tcprewrite usage. Incorporating these tools into sandboxed or isolated environments can limit the impact of potential exploitation. Finally, educate users about the risks of processing untrusted pcap files and enforce policies to avoid handling files from unknown or unverified sources.