{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-11T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM",
    "id" : "2394597",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2394597"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-841",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM\nWhen performing Generic Segmentation Offload (GSO) on an IPv6 packet that\ncontains extension headers, the kernel incorrectly requests checksum offload\nif the egress device only advertises NETIF_F_IPV6_CSUM feature, which has\na strict contract: it supports checksum offload only for plain TCP or UDP\nover IPv6 and explicitly does not support packets with extension headers.\nThe current GSO logic violates this contract by failing to disable the feature\nfor packets with extension headers, such as those used in GREoIPv6 tunnels.\nThis violation results in the device being asked to perform an operation\nit cannot support, leading to a `skb_warn_bad_offload` warning and a collapse\nof network throughput. While device TSO/USO is correctly bypassed in favor\nof software GSO for these packets, the GSO stack must be explicitly told not\nto request checksum offload.\nMask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4\nin gso_features_check if the IPv6 header contains extension headers to compute\nchecksum in software.\nThe exception is a BIG TCP extension, which, as stated in commit\n68e068cabd2c6c53 (\"net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\"):\n\"The feature is only enabled on devices that support BIG TCP TSO.\nThe header is only present for PF_PACKET taps like tcpdump,\nand not transmitted by physical devices.\"\nkernel log output (truncated):\nWARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140\n...\nCall Trace:\n<TASK>\nskb_checksum_help+0x12a/0x1f0\nvalidate_xmit_skb+0x1a3/0x2d0\nvalidate_xmit_skb_list+0x4f/0x80\nsch_direct_xmit+0x1a2/0x380\n__dev_xmit_skb+0x242/0x670\n__dev_queue_xmit+0x3fc/0x7f0\nip6_finish_output2+0x25e/0x5d0\nip6_finish_output+0x1fc/0x3f0\nip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]\nip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]\ndev_hard_start_xmit+0x63/0x1c0\n__dev_queue_xmit+0x6d0/0x7f0\nip6_finish_output2+0x214/0x5d0\nip6_finish_output+0x1fc/0x3f0\nip6_xmit+0x2ca/0x6f0\nip6_finish_output+0x1fc/0x3f0\nip6_xmit+0x2ca/0x6f0\ninet6_csk_xmit+0xeb/0x150\n__tcp_transmit_skb+0x555/0xa80\ntcp_write_xmit+0x32a/0xe90\ntcp_sendmsg_locked+0x437/0x1110\ntcp_sendmsg+0x2f/0x50\n...\nskb linear:   00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e\nskb linear:   00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00\nskb linear:   00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00\nskb linear:   00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00\nskb linear:   00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9\nskb linear:   00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01\nskb linear:   00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-09-15T00:00:00Z",
    "advisory" : "RHSA-2025:15782",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.33.1.el10_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39770\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39770" ],
  "name" : "CVE-2025-39770",
  "csaw" : false
}