CVE-2025-22055— net: fix geneve_opt length integer overflow

AI Predicted 7.8 Difficulty: Easy EPSS 0.03% · P10 Updated May 13, 2026

Affected Version Matrix 18

Vendor	Product	Version Range	Status
Linux	Linux	`0ed5269f9e41f495c8e9020c85f5e1644c1afc57< a2cb85f989e2074e2f392e00188c438cab3de088`	affected
		`0ed5269f9e41f495c8e9020c85f5e1644c1afc57< b4513ad0f391871d3feee8ddf535609a3aabeeac`	affected
		`0ed5269f9e41f495c8e9020c85f5e1644c1afc57< 21748669c5825761cbbf47cbeeb01387ddccc8cb`	affected
		`0ed5269f9e41f495c8e9020c85f5e1644c1afc57< 5a2976cc4d9c36ff58a0f10e35ce4283cbaa9c0e`	affected
		`0ed5269f9e41f495c8e9020c85f5e1644c1afc57< 2952776c69a1a551649ed770bf22e3f691f6ec65`	affected
		`0ed5269f9e41f495c8e9020c85f5e1644c1afc57< 738ae5712215fe9181587d582b23333f02c62ca6`	affected
		`0ed5269f9e41f495c8e9020c85f5e1644c1afc57< 4d606069bdd3c76f8ab1f06796c97ef7f4746807`	affected
		`0ed5269f9e41f495c8e9020c85f5e1644c1afc57< b27055a08ad4b415dcf15b63034f9cb236f7fb40`	affected
… +10 more rows

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-22055

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

net: fix geneve_opt length integer overflow

Source: NVD (National Vulnerability Database)

Vulnerability Description

In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] <TASK> [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

Linux kernel 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞，该漏洞源于geneve_opt长度整数溢出，可能导致堆越界读取。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Linux	Linux	0ed5269f9e41f495c8e9020c85f5e1644c1afc57 ~ a2cb85f989e2074e2f392e00188c438cab3de088	-
Linux	Linux	4.19	-

II. Public POCs for CVE-2025-22055

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-22055

请登录查看更多情报信息。

Other References for CVE-2025-22055 (6)

https://nvd.nist.gov/vuln/detail/CVE-2025-22055

Same Patch Batch · Linux · 2025-04-16 · 127 CVEs total

CVE-2025-22040	8.8 HIGH	ksmbd: fix session use-after-free in multichannel connection
CVE-2025-22041	8.8 HIGH	ksmbd: fix use-after-free in ksmbd_sessions_deregister()
CVE-2025-22093		drm/amd/display: avoid NPD when ASIC does not support DMUB
CVE-2025-22107		net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
CVE-2025-22106		vmxnet3: unregister xdp rxq info in the reset path
CVE-2025-22105		bonding: check xdp prog when set bond mode
CVE-2025-22104		ibmvnic: Use kernel helpers for hex dumps
CVE-2025-22103		net: fix NULL pointer dereference in l3mdev_l3_rcv
CVE-2025-22102		Bluetooth: btnxpuart: Fix kernel panic during FW release
CVE-2025-22100		drm/panthor: Fix race condition when gathering fdinfo group samples
CVE-2025-22101		net: libwx: fix Tx L4 checksum
CVE-2025-22099		drm: xlnx: zynqmp_dpsub: Add NULL check in zynqmp_audio_init
CVE-2025-22097		drm/vkms: Fix use after free and double free on init error
CVE-2025-22098		drm: zynqmp_dp: Fix a deadlock in zynqmp_dp_ignore_hpd_set()
CVE-2025-22096		drm/msm/gem: Fix error code msm_parse_deps()
CVE-2025-22095		PCI: brcmstb: Fix error path after a call to regulator_bulk_get()
CVE-2025-22094		powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu'
CVE-2025-22083		vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint
CVE-2025-22082		iio: backend: make sure to NULL terminate stack buffer
CVE-2025-22081		fs/ntfs3: Fix a couple integer overflows on 32bit systems

Showing top 20 of 127 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux

Same vendor: Linux

V. Comments for CVE-2025-22055

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-22055— net: fix geneve_opt length integer overflow

Affected Version Matrix 18

I. Basic Information for CVE-2025-22055

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-22055

III. Intelligence Information for CVE-2025-22055

Other References for CVE-2025-22055 (6)

Same Patch Batch · Linux · 2025-04-16 · 127 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2025-22055

Leave a comment