Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2026-08527

Опубликовано: 29 дек. 2025
Источник: fstec
CVSS3: 7.5
CVSS2: 7.8
EPSS Низкий

Описание

Уязвимость функции calipso_skbuff_setattr() в модуле net/ipv6/calipso.c реализации протокола IPv6 ядра операционной системы Linux связана с целочисленным переполнением или циклическим сдвигом. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании

Вендор

Red Hat Inc.
Canonical Ltd.
Сообщество свободного программного обеспечения
Novell Inc.

Наименование ПО

Red Hat Enterprise Linux
Ubuntu
Debian GNU/Linux
SUSE Linux Enterprise Server for SAP Applications
SUSE Linux Enterprise Micro
OpenSUSE Leap
Suse Linux Enterprise Server
Suse Linux Enterprise Desktop
SUSE Linux Micro
Linux

Версия ПО

8.0 (Red Hat Enterprise Linux)
20.04 LTS (Ubuntu)
11 (Debian GNU/Linux)
12 (Debian GNU/Linux)
15 SP4 (SUSE Linux Enterprise Server for SAP Applications)
5.2 (SUSE Linux Enterprise Micro)
22.04 LTS (Ubuntu)
5.3 (SUSE Linux Enterprise Micro)
15 SP5 (SUSE Linux Enterprise Server for SAP Applications)
5.4 (SUSE Linux Enterprise Micro)
9.0 (Red Hat Enterprise Linux)
5.5 (SUSE Linux Enterprise Micro)
15 SP6 (SUSE Linux Enterprise Server for SAP Applications)
15.6 (OpenSUSE Leap)
12 SP5-LTSS (Suse Linux Enterprise Server)
9.4 Extended Update Support (Red Hat Enterprise Linux)
15 SP7 (Suse Linux Enterprise Desktop)
10 (Red Hat Enterprise Linux)
15 SP4 LTSS (Suse Linux Enterprise Server)
15 SP5 LTSS (Suse Linux Enterprise Server)
13 (Debian GNU/Linux)
6.0 (SUSE Linux Micro)
6.1 (SUSE Linux Micro)
16.0 (SUSE Linux Enterprise Server for SAP Applications)
16.0 (Suse Linux Enterprise Server)
9.6 Extended Update Support (Red Hat Enterprise Linux)
16.0 (OpenSUSE Leap)
6.2 (SUSE Linux Micro)
от 6.13 до 6.18.3 включительно (Linux)
от 6.2 до 6.12.63 включительно (Linux)
от 4.8 до 6.1.159 включительно (Linux)

Тип ПО

Операционная система
Прикладное ПО информационных систем

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 8.0
Canonical Ltd. Ubuntu 20.04 LTS
Сообщество свободного программного обеспечения Debian GNU/Linux 11
Сообщество свободного программного обеспечения Debian GNU/Linux 12
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4
Canonical Ltd. Ubuntu 22.04 LTS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5
Red Hat Inc. Red Hat Enterprise Linux 9.0
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP6
Novell Inc. OpenSUSE Leap 15.6
Novell Inc. Suse Linux Enterprise Server 12 SP5-LTSS
Red Hat Inc. Red Hat Enterprise Linux 9.4 Extended Update Support
Novell Inc. Suse Linux Enterprise Desktop 15 SP7
Red Hat Inc. Red Hat Enterprise Linux 10
Novell Inc. Suse Linux Enterprise Server 15 SP4 LTSS
Novell Inc. Suse Linux Enterprise Server 15 SP5 LTSS
Сообщество свободного программного обеспечения Debian GNU/Linux 13
Novell Inc. SUSE Linux Micro 6.0
Novell Inc. SUSE Linux Micro 6.1
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 16.0
Novell Inc. Suse Linux Enterprise Server 16.0
Red Hat Inc. Red Hat Enterprise Linux 9.6 Extended Update Support
Novell Inc. OpenSUSE Leap 16.0
Novell Inc. SUSE Linux Micro 6.2
Сообщество свободного программного обеспечения Linux от 6.13 до 6.18.3 включительно
Сообщество свободного программного обеспечения Linux от 6.2 до 6.12.63 включительно
Сообщество свободного программного обеспечения Linux от 4.8 до 6.1.159 включительно

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,8)
Высокий уровень опасности (базовая оценка CVSS 3.1 составляет 7,5)

Возможные меры по устранению уязвимости

В условиях отсутствия обновлений безопасности от производителя рекомендуется придерживаться "Рекомендаций по безопасной настройке операционных систем LINUX", изложенных в методическом документе ФСТЭК России, утверждённом 25 декабря 2022 года.
Использование рекомендаций:
Для Linux:
https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1
https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0
https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24
https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570
https://git.kernel.org/linus/58fc7342b529803d3c221101102fe913df7adb83
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2025-71085.html
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2025-71085
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2025-71085
Для Ubuntu:
https://ubuntu.com/security/CVE-2025-71085

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 2%
0.00114
Низкий

7.5 High

CVSS3

7.8 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2025-71085

CVSS3: 5.5
ubuntu
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow h...

redhat логотип

CVE-2025-71085

CVSS3: 7.5
redhat
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow h...

nvd логотип

CVE-2025-71085

CVSS3: 5.5
nvd
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow

debian логотип

CVE-2025-71085

CVSS3: 5.5
debian
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: i ...

github логотип

GHSA-hjpx-f2r6-rr4q

CVSS3: 5.5
github
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to gr...

EPSS

Процентиль: 2%
0.00114
Низкий

7.5 High

CVSS3

7.8 High

CVSS2