CVE-2025-22056
📋 TL;DR
A heap out-of-bounds write vulnerability in the Linux kernel's netfilter nft_tunnel module allows attackers to corrupt kernel memory when processing malicious GENEVE tunnel options. This affects Linux systems using nftables with tunnel rules. Exploitation could lead to kernel crashes or potential privilege escalation.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or privilege escalation to root via kernel memory corruption leading to arbitrary code execution.
Likely Case
Kernel panic or system crash causing denial of service, potentially leading to privilege escalation in sophisticated attacks.
If Mitigated
Limited to denial of service if exploit attempts are blocked by security controls or if the vulnerable functionality isn't used.
🎯 Exploit Status
The CVE includes kernel panic output from a proof-of-concept, indicating exploit code exists. Exploitation requires ability to send specially crafted nftables configuration to the kernel.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with fixes from the provided git commits (0a93a710d6df334b828ea064c6d39fda34f901dc and others)
Vendor Advisory: https://git.kernel.org/stable/c/0a93a710d6df334b828ea064c6d39fda34f901dc
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check your distribution's security advisories for specific patched kernel versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable nft_tunnel module
linuxPrevent loading of the vulnerable nft_tunnel kernel module
echo 'blacklist nft_tunnel' >> /etc/modprobe.d/blacklist-nft-tunnel.conf
rmmod nft_tunnel
Disable nftables tunnel functionality
linuxRemove or disable nftables rules using tunnel features
nft delete rule inet filter forward
nft flush ruleset
🧯 If You Can't Patch
- Restrict network access to systems using nftables tunnel rules
- Implement strict network segmentation to limit who can send nftables configuration
🔍 How to Verify
Check if Vulnerable:
Check if nft_tunnel module is loaded: lsmod | grep nft_tunnel. If loaded and kernel version is unpatched, system is vulnerable.Check Version:
uname -rVerify Fix Applied:
Check kernel version against patched versions from distribution advisories and verify nft_tunnel module functions without crashes.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning nft_tunnel_obj_init
- KASAN reports of slab-out-of-bounds writes
- System crashes when configuring nftables tunnel rules
Network Indicators:
- Unusual nftables configuration traffic
- Network packets attempting to trigger GENEVE option parsing
SIEM Query:
event_source="kernel" AND (message CONTAINS "nft_tunnel" OR message CONTAINS "KASAN: slab-out-of-bounds")🔗 References
- https://git.kernel.org/stable/c/0a93a710d6df334b828ea064c6d39fda34f901dc
- https://git.kernel.org/stable/c/1b755d8eb1ace3870789d48fbd94f386ad6e30be
- https://git.kernel.org/stable/c/28d88ee1e1cc8ac2d79aeb112717b97c5c833d43
- https://git.kernel.org/stable/c/31d49eb436f2da61280508d7adf8c9b473b967aa
- https://git.kernel.org/stable/c/446d94898c560ed2f61e26ae445858a4c4830762
- https://git.kernel.org/stable/c/708e268acb3a446ad2a8a3d2e9bd41cc23660cd6
- https://git.kernel.org/stable/c/a263d31c8c92e5919d41af57d9479cfb66323782
- https://git.kernel.org/stable/c/ca2adfc03cd6273f0b589fe65afc6f75e0fe116e
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
