{"id":"CVE-2025-71128","summary":"erspan: Initialize options_len before referencing options.","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: Initialize options_len before referencing options.\n\nThe struct ip_tunnel_info has a flexible array member named\noptions that is protected by a counted_by(options_len)\nattribute.\n\nThe compiler will use this information to enforce runtime bounds\nchecking deployed by FORTIFY_SOURCE string helpers.\n\nAs laid out in the GCC documentation, the counter must be\ninitialized before the first reference to the flexible array\nmember.\n\nAfter scanning through the files that use struct ip_tunnel_info\nand also refer to options or options_len, it appears the normal\ncase is to use the ip_tunnel_info_opts_set() helper.\n\nSaid helper would initialize options_len properly before copying\ndata into options, however in the GRE ERSPAN code a partial\nupdate is done, preventing the use of the helper function.\n\nBefore this change the handling of ERSPAN traffic in GRE tunnels\nwould cause a kernel panic when the kernel is compiled with\nGCC 15+ and having FORTIFY_SOURCE configured:\n\nmemcpy: detected buffer overflow: 4 byte write of buffer size 0\n\nCall Trace:\n \u003cIRQ\u003e\n __fortify_panic+0xd/0xf\n erspan_rcv.cold+0x68/0x83\n ? ip_route_input_slow+0x816/0x9d0\n gre_rcv+0x1b2/0x1c0\n gre_rcv+0x8e/0x100\n ? raw_v4_input+0x2a0/0x2b0\n ip_protocol_deliver_rcu+0x1ea/0x210\n ip_local_deliver_finish+0x86/0x110\n ip_local_deliver+0x65/0x110\n ? ip_rcv_finish_core+0xd6/0x360\n ip_rcv+0x186/0x1a0\n\nReported-at: https://launchpad.net/bugs/2129580","modified":"2026-05-18T05:57:38.029358126Z","published":"2026-01-14T15:07:44.941Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71128.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71128.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71128"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bb5e62f2d547c4de6d1b144cbce2373a76c33f18"},{"fixed":"b282b2a9eed848587c1348abdd5d83fa346a2743"},{"fixed":"35ddf66c65eff93fff91406756ba273600bf61a3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71128.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.15.0"},{"fixed":"6.18.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71128.json"}}],"schema_version":"1.7.5"}