How the CVE Works
The vulnerability occurs in the Linux kernel’s IPv6 routing subsystem (fib_check_nh_v6_gw()). When `fib6_nh_init()` fails to allocate fib6_nh->rt6i_pcpu, it does not properly clean up the pre-allocated `nhc_pcpu_rth_output` memory, leading to a memory leak. This happens because `fib_nh_common_init()` was moved before `alloc_percpu_gfp()` in the initialization flow, but the error-handling path was not updated to release nhc_pcpu_rth_output. The leak persists across route updates, potentially degrading system performance over time.
DailyCVE Form
Platform: Linux Kernel
Version: Pre-patch versions
Vulnerability: IPv6 memory leak
Severity: Medium
Date: 04/10/2025
What Undercode Say:
Exploitation:
- Trigger Condition: Repeated IPv6 route additions/deletions with gateway checks.
2. Impact: Gradual memory exhaustion, possible DoS.
3. Debugging Command:
watch -n 1 "cat /proc/meminfo | grep Slab"
4. Kernel Logs:
dmesg | grep -i "fib6_nh_init failed"
Mitigation:
1. Patch: Apply kernel commit `7dd73168e273` backports.
- Workaround: Restrict IPv6 route modifications to trusted users.
3. Check Vulnerability:
uname -r Verify kernel version
4. Kernel Config Check:
zgrep CONFIG_IPV6 /proc/config.gz
Code Snippets:
1. Leak Detection (BPF):
tracepoint:kmem:kmalloc {
if (args->bytes == sizeof(struct rt6_info )) {
printf("Potential leak: %p\n", args->ptr);
}
}
2. Manual Cleanup (Testing):
if (fib6_nh->rt6i_pcpu == NULL) {
fib_nh_common_release(&fib6_nh->nh_common);
fib6_nh->nh_common.nhc_pcpu_rth_output = NULL;
}
Analytics:
- Attack Surface: Local/remote (via IPv6 routing).
- CVSS 4.0: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L` (Medium).
- Monitoring: Track `/proc/slabinfo` for `fib6_nh` growth.
References:
- Kernel Git: Commit 7dd73168e273
- Mitre: CVE-2025-22005
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-22005
Extra Source Hub:
Undercode
