CVE-2025-71128 (GCVE-0-2025-71128)

Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-02-09 08:35
VLAI?
Title
erspan: Initialize options_len before referencing options.
Summary
In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len before referencing options. The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Reported-at: https://launchpad.net/bugs/2129580
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: bb5e62f2d547c4de6d1b144cbce2373a76c33f18 , < b282b2a9eed848587c1348abdd5d83fa346a2743 (git)
Affected: bb5e62f2d547c4de6d1b144cbce2373a76c33f18 , < 35ddf66c65eff93fff91406756ba273600bf61a3 (git)
Create a notification for this product.
    Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.18.4 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ip_gre.c",
            "net/ipv6/ip6_gre.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b282b2a9eed848587c1348abdd5d83fa346a2743",
              "status": "affected",
              "version": "bb5e62f2d547c4de6d1b144cbce2373a76c33f18",
              "versionType": "git"
            },
            {
              "lessThan": "35ddf66c65eff93fff91406756ba273600bf61a3",
              "status": "affected",
              "version": "bb5e62f2d547c4de6d1b144cbce2373a76c33f18",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ip_gre.c",
            "net/ipv6/ip6_gre.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.4",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: Initialize options_len before referencing options.\n\nThe struct ip_tunnel_info has a flexible array member named\noptions that is protected by a counted_by(options_len)\nattribute.\n\nThe compiler will use this information to enforce runtime bounds\nchecking deployed by FORTIFY_SOURCE string helpers.\n\nAs laid out in the GCC documentation, the counter must be\ninitialized before the first reference to the flexible array\nmember.\n\nAfter scanning through the files that use struct ip_tunnel_info\nand also refer to options or options_len, it appears the normal\ncase is to use the ip_tunnel_info_opts_set() helper.\n\nSaid helper would initialize options_len properly before copying\ndata into options, however in the GRE ERSPAN code a partial\nupdate is done, preventing the use of the helper function.\n\nBefore this change the handling of ERSPAN traffic in GRE tunnels\nwould cause a kernel panic when the kernel is compiled with\nGCC 15+ and having FORTIFY_SOURCE configured:\n\nmemcpy: detected buffer overflow: 4 byte write of buffer size 0\n\nCall Trace:\n \u003cIRQ\u003e\n __fortify_panic+0xd/0xf\n erspan_rcv.cold+0x68/0x83\n ? ip_route_input_slow+0x816/0x9d0\n gre_rcv+0x1b2/0x1c0\n gre_rcv+0x8e/0x100\n ? raw_v4_input+0x2a0/0x2b0\n ip_protocol_deliver_rcu+0x1ea/0x210\n ip_local_deliver_finish+0x86/0x110\n ip_local_deliver+0x65/0x110\n ? ip_rcv_finish_core+0xd6/0x360\n ip_rcv+0x186/0x1a0\n\nReported-at: https://launchpad.net/bugs/2129580"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:35:24.025Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743"
        },
        {
          "url": "https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3"
        }
      ],
      "title": "erspan: Initialize options_len before referencing options.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71128",
    "datePublished": "2026-01-14T15:07:44.941Z",
    "dateReserved": "2026-01-13T15:30:19.655Z",
    "dateUpdated": "2026-02-09T08:35:24.025Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71128\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-14T15:16:02.547\",\"lastModified\":\"2026-01-14T16:25:12.057\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nerspan: Initialize options_len before referencing options.\\n\\nThe struct ip_tunnel_info has a flexible array member named\\noptions that is protected by a counted_by(options_len)\\nattribute.\\n\\nThe compiler will use this information to enforce runtime bounds\\nchecking deployed by FORTIFY_SOURCE string helpers.\\n\\nAs laid out in the GCC documentation, the counter must be\\ninitialized before the first reference to the flexible array\\nmember.\\n\\nAfter scanning through the files that use struct ip_tunnel_info\\nand also refer to options or options_len, it appears the normal\\ncase is to use the ip_tunnel_info_opts_set() helper.\\n\\nSaid helper would initialize options_len properly before copying\\ndata into options, however in the GRE ERSPAN code a partial\\nupdate is done, preventing the use of the helper function.\\n\\nBefore this change the handling of ERSPAN traffic in GRE tunnels\\nwould cause a kernel panic when the kernel is compiled with\\nGCC 15+ and having FORTIFY_SOURCE configured:\\n\\nmemcpy: detected buffer overflow: 4 byte write of buffer size 0\\n\\nCall Trace:\\n \u003cIRQ\u003e\\n __fortify_panic+0xd/0xf\\n erspan_rcv.cold+0x68/0x83\\n ? ip_route_input_slow+0x816/0x9d0\\n gre_rcv+0x1b2/0x1c0\\n gre_rcv+0x8e/0x100\\n ? raw_v4_input+0x2a0/0x2b0\\n ip_protocol_deliver_rcu+0x1ea/0x210\\n ip_local_deliver_finish+0x86/0x110\\n ip_local_deliver+0x65/0x110\\n ? ip_rcv_finish_core+0xd6/0x360\\n ip_rcv+0x186/0x1a0\\n\\nReported-at: https://launchpad.net/bugs/2129580\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.