Linux Kernel IP6GRE Header Vulnerability (CVE-2025-71098)
CVE-2025-71098 Published on January 13, 2026
ip6_gre: make ip6gre_header() robust
In the Linux kernel, the following vulnerability has been resolved:
ip6_gre: make ip6gre_header() robust
Over the years, syzbot found many ways to crash the kernel
in ip6gre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ip6gre device.
[1]
skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:213 !
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
Products Associated with CVE-2025-71098
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Linux:- Version c12b395a46646bab69089ce7016ac78177f6001f and below 17e7386234f740f3e7d5e58a47b5847ea34c3bc2 is affected.
- Version c12b395a46646bab69089ce7016ac78177f6001f and below 41a1a3140aff295dee8063906f70a514548105e8 is affected.
- Version c12b395a46646bab69089ce7016ac78177f6001f and below adee129db814474f2f81207bd182bf343832a52e is affected.
- Version c12b395a46646bab69089ce7016ac78177f6001f and below 1717357007db150c2d703f13f5695460e960f26c is affected.
- Version c12b395a46646bab69089ce7016ac78177f6001f and below 5fe210533e3459197eabfdbf97327dacbdc04d60 is affected.
- Version c12b395a46646bab69089ce7016ac78177f6001f and below 91a2b25be07ce1a7549ceebbe82017551d2eec92 is affected.
- Version c12b395a46646bab69089ce7016ac78177f6001f and below db5b4e39c4e63700c68a7e65fc4e1f1375273476 is affected.
- Version 3.7 is affected.
- Before 3.7 is unaffected.
- Version 5.10.248, <= 5.10.* is unaffected.
- Version 5.15.198, <= 5.15.* is unaffected.
- Version 6.1.160, <= 6.1.* is unaffected.
- Version 6.6.120, <= 6.6.* is unaffected.
- Version 6.12.64, <= 6.12.* is unaffected.
- Version 6.18.4, <= 6.18.* is unaffected.
- Version 6.19, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.