{"id":"CVE-2025-38572","summary":"ipv6: reject malicious packets in ipv6_gso_segment()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: reject malicious packets in ipv6_gso_segment()\n\nsyzbot was able to craft a packet with very long IPv6 extension headers\nleading to an overflow of skb-\u003etransport_header.\n\nThis 16bit field has a limited range.\n\nAdd skb_reset_transport_header_careful() helper and use it\nfrom ipv6_gso_segment()\n\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nModules linked in:\nCPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\n RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nCall Trace:\n \u003cTASK\u003e\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  __skb_gso_segment+0x342/0x510 net/core/gso.c:124\n  skb_gso_segment include/net/gso.h:83 [inline]\n  validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950\n  validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000\n  sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329\n  __dev_xmit_skb net/core/dev.c:4102 [inline]\n  __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679","modified":"2026-03-20T12:42:55.511051Z","published":"2025-08-19T17:02:52.340Z","related":["ALSA-2025:18318","MGASA-2025-0234","MGASA-2025-0235","SUSE-SU-2025:03272-1","SUSE-SU-2025:03290-1","SUSE-SU-2025:03301-1","SUSE-SU-2025:03382-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03613-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03626-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20653-1","SUSE-SU-2025:20669-1","SUSE-SU-2025:20739-1","SUSE-SU-2025:20756-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3761-1","SUSE-SU-2026:0144-1","SUSE-SU-2026:0148-1","SUSE-SU-2026:0154-1","SUSE-SU-2026:0155-1","SUSE-SU-2026:0163-1","SUSE-SU-2026:0166-1","SUSE-SU-2026:0168-1","SUSE-SU-2026:0171-1","SUSE-SU-2026:0173-1","SUSE-SU-2026:0174-1","SUSE-SU-2026:0176-1","SUSE-SU-2026:0180-1","SUSE-SU-2026:0184-1","SUSE-SU-2026:0186-1","SUSE-SU-2026:0187-1","SUSE-SU-2026:0191-1","SUSE-SU-2026:0206-1","SUSE-SU-2026:0246-1","SUSE-SU-2026:0262-1","SUSE-SU-2026:0269-1","SUSE-SU-2026:0270-1","SUSE-SU-2026:0274-1","SUSE-SU-2026:0283-1","SUSE-SU-2026:0284-1","SUSE-SU-2026:20149-1","SUSE-SU-2026:20164-1","SUSE-SU-2026:20169-1","SUSE-SU-2026:20248-1","SUSE-SU-2026:20249-1","SUSE-SU-2026:20250-1","SUSE-SU-2026:20251-1","SUSE-SU-2026:20252-1","SUSE-SU-2026:20253-1","SUSE-SU-2026:20255-1","SUSE-SU-2026:20256-1","SUSE-SU-2026:20257-1","SUSE-SU-2026:20258-1","SUSE-SU-2026:20259-1","SUSE-SU-2026:20265-1","SUSE-SU-2026:20266-1","SUSE-SU-2026:20376-1","SUSE-SU-2026:20377-1","SUSE-SU-2026:20378-1","SUSE-SU-2026:20379-1","SUSE-SU-2026:20380-1","SUSE-SU-2026:20385-1","SUSE-SU-2026:20392-1","SUSE-SU-2026:20393-1","SUSE-SU-2026:20394-1","SUSE-SU-2026:20395-1","SUSE-SU-2026:20396-1","SUSE-SU-2026:20397-1","SUSE-SU-2026:20400-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38572.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67"},{"type":"WEB","url":"https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe"},{"type":"WEB","url":"https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38572.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38572"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d1da932ed4ecad2a14cbcc01ed589d617d0f0f09"},{"fixed":"5dc60b2a00ed7629214ac0c48e43f40af2078703"},{"fixed":"3f638e0b28bde7c3354a0df938ab3a96739455d1"},{"fixed":"09ff062b89d8e48165247d677d1ca23d6d607e9b"},{"fixed":"de322cdf600fc9433845a9e944d1ca6b31cfb67e"},{"fixed":"ef05007b403dcc21e701cb1f30d4572ac0a9da20"},{"fixed":"5489e7fc6f8be3062f8cb7e49406de4bfd94db67"},{"fixed":"573b8250fc2554761db3bc2bbdbab23789d52d4e"},{"fixed":"ee851768e4b8371ce151fd446d24bf3ae2d18789"},{"fixed":"d45cf1e7d7180256e17c9ce88e32e8061a7887fe"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38572.json"}}],"schema_version":"1.7.5"}