How CVE-2025-22063 Works
This vulnerability occurs in the Linux kernel’s NetLabel subsystem when handling IPv4 sockets with IPv6 CALIPSO (Common Architecture Label IPv6 Security Option) labels. When `netlbl_conn_setattr()` is called, it checks `addr->sa_family` to determine socket type. If an IPv4 socket receives an IPv6 address via connect(), the function `calipso_sock_setattr()` is incorrectly triggered. Inside this function, the code attempts to access `inet_sk(__sk)->pinet6` without proper validation. Since IPv4 sockets lack the `pinet6` field, a NULL pointer dereference occurs, leading to a kernel panic or potential privilege escalation.
DailyCVE Form:
Platform: Linux Kernel
Version: Pre-5.15.120
Vulnerability: Null Pointer Dereference
Severity: Critical
Date: 04/29/2025
What Undercode Say:
Exploitation Analysis:
- Trigger Condition: Forge IPv6 connection attempt on IPv4 socket with CALIPSO labels.
- Impact: Kernel crash (DoS) or possible LPE via controlled memory corruption.
3. Exploit Pseudocode:
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in6 addr6 = { .sin6_family = AF_INET6 };
connect(sock, (struct sockaddr)&addr6, sizeof(addr6));
Protection Commands:
1. Patch Check:
uname -r | grep -E "5.15.120|6.1.\d+"
2. Mitigation (Disable NetLabel):
echo 0 > /proc/sys/net/netlabel/netlabel_enabled
Code Fix Reference:
a/net/ipv6/calipso.c +++ b/net/ipv6/calipso.c @@ -123,7 +123,7 @@ int calipso_sock_setattr(struct sock sk, const struct calipso_doi doi_def, - ip6_sk = sk_fullsock(sk) ? inet_sk(sk)->pinet6 : NULL; + ip6_sk = sk_fullsock(sk) && inet6_sk(sk) ? inet_sk(sk)->pinet6 : NULL;
Detection Script:
grep -r "calipso_sock_setattr" /usr/src/linux/net/ipv6/
References:
- Kernel Git Commit: kernel.org/…/netlabel-fix-null-ptr
- CVSS 4.0: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
