vulnerability

Ubuntu: (Multiple Advisories) (CVE-2025-22056): Linux kernel vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:L/AC:L/Au:S/C:C/I:C/A:C)	Apr 16, 2025	Jun 20, 2025	Nov 27, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:C/I:C/A:C)

Published

Apr 16, 2025

Added

Jun 20, 2025

Modified

Nov 27, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_tunnel: fix geneve_opt type confusion addition

When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the
parsing logic should place every geneve_opt structure one by one
compactly. Hence, when deciding the next geneve_opt position, the
pointer addition should be in units of char *.

However, the current implementation erroneously does type conversion
before the addition, which will lead to heap out-of-bounds write.

[ 6.989857] ==================================================================
[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70
[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178
[ 6.991162]
[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1
[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 6.992281] Call Trace:
[ 6.992423] <TASK>
[ 6.992586] dump_stack_lvl+0x44/0x5c
[ 6.992801] print_report+0x184/0x4be
[ 6.993790] kasan_report+0xc5/0x100
[ 6.994252] kasan_check_range+0xf3/0x1a0
[ 6.994486] memcpy+0x38/0x60
[ 6.994692] nft_tunnel_obj_init+0x977/0xa70
[ 6.995677] nft_obj_init+0x10c/0x1b0
[ 6.995891] nf_tables_newobj+0x585/0x950
[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020
[ 6.998997] nfnetlink_rcv+0x1df/0x220
[ 6.999537] netlink_unicast+0x395/0x530
[ 7.000771] netlink_sendmsg+0x3d0/0x6d0
[ 7.001462] __sock_sendmsg+0x99/0xa0
[ 7.001707] ____sys_sendmsg+0x409/0x450
[ 7.002391] ___sys_sendmsg+0xfd/0x170
[ 7.003145] __sys_sendmsg+0xea/0x170
[ 7.004359] do_syscall_64+0x5e/0x90
[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 7.006127] RIP: 0033:0x7ec756d4e407
[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407
[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003
[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000
[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8

Fix this bug with correct pointer addition and conversion in parse
and dump code.

Solutions

ubuntu-upgrade-linux-image-5-15-0-1028-nvidia-tegra-igxubuntu-upgrade-linux-image-5-15-0-1028-nvidia-tegra-igx-rtubuntu-upgrade-linux-image-5-15-0-1039-nvidia-tegraubuntu-upgrade-linux-image-5-15-0-1039-nvidia-tegra-rtubuntu-upgrade-linux-image-5-15-0-1050-xilinx-zynqmpubuntu-upgrade-linux-image-5-15-0-1068-gkeopubuntu-upgrade-linux-image-5-15-0-1078-ibmubuntu-upgrade-linux-image-5-15-0-1079-intel-iot-realtimeubuntu-upgrade-linux-image-5-15-0-1080-nvidiaubuntu-upgrade-linux-image-5-15-0-1080-nvidia-lowlatencyubuntu-upgrade-linux-image-5-15-0-1080-raspiubuntu-upgrade-linux-image-5-15-0-1081-intel-iotgubuntu-upgrade-linux-image-5-15-0-1082-kvmubuntu-upgrade-linux-image-5-15-0-1083-gkeubuntu-upgrade-linux-image-5-15-0-1083-intel-iotgubuntu-upgrade-linux-image-5-15-0-1083-oracleubuntu-upgrade-linux-image-5-15-0-1085-gcpubuntu-upgrade-linux-image-5-15-0-1085-gcp-fipsubuntu-upgrade-linux-image-5-15-0-1086-awsubuntu-upgrade-linux-image-5-15-0-1086-aws-64kubuntu-upgrade-linux-image-5-15-0-1086-aws-fipsubuntu-upgrade-linux-image-5-15-0-1086-realtimeubuntu-upgrade-linux-image-5-15-0-1091-azureubuntu-upgrade-linux-image-5-15-0-1091-azure-fipsubuntu-upgrade-linux-image-5-15-0-142-fipsubuntu-upgrade-linux-image-5-15-0-142-genericubuntu-upgrade-linux-image-5-15-0-142-generic-64kubuntu-upgrade-linux-image-5-15-0-142-generic-lpaeubuntu-upgrade-linux-image-5-15-0-142-lowlatencyubuntu-upgrade-linux-image-5-15-0-142-lowlatency-64kubuntu-upgrade-linux-image-6-11-0-1011-realtimeubuntu-upgrade-linux-image-6-11-0-1014-raspiubuntu-upgrade-linux-image-6-11-0-1015-awsubuntu-upgrade-linux-image-6-11-0-1015-lowlatencyubuntu-upgrade-linux-image-6-11-0-1015-lowlatency-64kubuntu-upgrade-linux-image-6-11-0-1016-gcpubuntu-upgrade-linux-image-6-11-0-1016-gcp-64kubuntu-upgrade-linux-image-6-11-0-1017-oracleubuntu-upgrade-linux-image-6-11-0-1017-oracle-64kubuntu-upgrade-linux-image-6-11-0-1018-azureubuntu-upgrade-linux-image-6-11-0-1018-azure-fdeubuntu-upgrade-linux-image-6-11-0-1024-oemubuntu-upgrade-linux-image-6-11-0-28-genericubuntu-upgrade-linux-image-6-11-0-28-generic-64kubuntu-upgrade-linux-image-6-14-0-1004-realtimeubuntu-upgrade-linux-image-6-14-0-1007-awsubuntu-upgrade-linux-image-6-14-0-1007-aws-64kubuntu-upgrade-linux-image-6-14-0-1007-azureubuntu-upgrade-linux-image-6-14-0-1007-azure-fdeubuntu-upgrade-linux-image-6-14-0-1007-oracleubuntu-upgrade-linux-image-6-14-0-1007-oracle-64kubuntu-upgrade-linux-image-6-14-0-1007-raspiubuntu-upgrade-linux-image-6-14-0-1008-gcpubuntu-upgrade-linux-image-6-14-0-1008-gcp-64kubuntu-upgrade-linux-image-6-14-0-22-genericubuntu-upgrade-linux-image-6-14-0-22-generic-64kubuntu-upgrade-linux-image-6-8-0-1025-gkeopubuntu-upgrade-linux-image-6-8-0-1038-gkeubuntu-upgrade-linux-image-6-8-0-1038-gke-64kubuntu-upgrade-linux-image-6-8-0-1038-oracleubuntu-upgrade-linux-image-6-8-0-1038-oracle-64kubuntu-upgrade-linux-image-6-8-0-1039-ibmubuntu-upgrade-linux-image-6-8-0-1041-awsubuntu-upgrade-linux-image-6-8-0-1041-aws-64kubuntu-upgrade-linux-image-6-8-0-1041-azureubuntu-upgrade-linux-image-6-8-0-1041-nvidiaubuntu-upgrade-linux-image-6-8-0-1041-nvidia-64kubuntu-upgrade-linux-image-6-8-0-1041-nvidia-lowlatencyubuntu-upgrade-linux-image-6-8-0-1041-nvidia-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-1041-raspiubuntu-upgrade-linux-image-6-8-0-1042-gcpubuntu-upgrade-linux-image-6-8-0-1042-gcp-64kubuntu-upgrade-linux-image-6-8-0-2032-raspi-realtimeubuntu-upgrade-linux-image-6-8-0-86-genericubuntu-upgrade-linux-image-6-8-0-86-generic-64kubuntu-upgrade-linux-image-6-8-0-86-lowlatencyubuntu-upgrade-linux-image-6-8-0-86-lowlatency-64kubuntu-upgrade-linux-image-6-8-1-1036-realtimeubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-6-8ubuntu-upgrade-linux-image-aws-64kubuntu-upgrade-linux-image-aws-64k-6-8ubuntu-upgrade-linux-image-aws-64k-lts-22-04ubuntu-upgrade-linux-image-aws-64k-lts-24-04ubuntu-upgrade-linux-image-aws-fipsubuntu-upgrade-linux-image-aws-lts-22-04ubuntu-upgrade-linux-image-aws-lts-24-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-6-11ubuntu-upgrade-linux-image-azure-6-8ubuntu-upgrade-linux-image-azure-cvmubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-azure-fde-6-11ubuntu-upgrade-linux-image-azure-fde-edgeubuntu-upgrade-linux-image-azure-fipsubuntu-upgrade-linux-image-azure-lts-22-04ubuntu-upgrade-linux-image-azure-lts-24-04ubuntu-upgrade-linux-image-fipsubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-6-8ubuntu-upgrade-linux-image-gcp-64kubuntu-upgrade-linux-image-gcp-64k-6-8ubuntu-upgrade-linux-image-gcp-64k-lts-24-04ubuntu-upgrade-linux-image-gcp-fipsubuntu-upgrade-linux-image-gcp-lts-22-04ubuntu-upgrade-linux-image-gcp-lts-24-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-6-8ubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-6-8ubuntu-upgrade-linux-image-generic-64k-hwe-20-04ubuntu-upgrade-linux-image-generic-64k-hwe-22-04ubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-20-04ubuntu-upgrade-linux-image-generic-hwe-22-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-generic-lpae-hwe-20-04ubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-gke-5-15ubuntu-upgrade-linux-image-gke-6-8ubuntu-upgrade-linux-image-gke-64kubuntu-upgrade-linux-image-gke-64k-6-8ubuntu-upgrade-linux-image-gkeopubuntu-upgrade-linux-image-gkeop-5-15ubuntu-upgrade-linux-image-gkeop-6-8ubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-ibm-6-8ubuntu-upgrade-linux-image-ibm-classicubuntu-upgrade-linux-image-ibm-lts-24-04ubuntu-upgrade-linux-image-intelubuntu-upgrade-linux-image-intel-iot-realtimeubuntu-upgrade-linux-image-intel-iotgubuntu-upgrade-linux-image-intel-iotg-5-15ubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-6-11ubuntu-upgrade-linux-image-lowlatency-6-8ubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-lowlatency-64k-6-11ubuntu-upgrade-linux-image-lowlatency-64k-6-8ubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04ubuntu-upgrade-linux-image-lowlatency-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-hwe-24-04ubuntu-upgrade-linux-image-nvidiaubuntu-upgrade-linux-image-nvidia-6-8ubuntu-upgrade-linux-image-nvidia-64kubuntu-upgrade-linux-image-nvidia-64k-6-8ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04ubuntu-upgrade-linux-image-nvidia-hwe-22-04ubuntu-upgrade-linux-image-nvidia-lowlatencyubuntu-upgrade-linux-image-nvidia-lowlatency-6-8ubuntu-upgrade-linux-image-nvidia-lowlatency-64kubuntu-upgrade-linux-image-nvidia-lowlatency-64k-6-8ubuntu-upgrade-linux-image-nvidia-tegraubuntu-upgrade-linux-image-nvidia-tegra-igxubuntu-upgrade-linux-image-nvidia-tegra-igx-rtubuntu-upgrade-linux-image-nvidia-tegra-rtubuntu-upgrade-linux-image-oem-20-04ubuntu-upgrade-linux-image-oem-20-04bubuntu-upgrade-linux-image-oem-20-04cubuntu-upgrade-linux-image-oem-20-04dubuntu-upgrade-linux-image-oem-22-04ubuntu-upgrade-linux-image-oem-22-04aubuntu-upgrade-linux-image-oem-22-04bubuntu-upgrade-linux-image-oem-22-04cubuntu-upgrade-linux-image-oem-22-04dubuntu-upgrade-linux-image-oem-24-04bubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-6-8ubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-oracle-64k-6-8ubuntu-upgrade-linux-image-oracle-64k-lts-24-04ubuntu-upgrade-linux-image-oracle-lts-22-04ubuntu-upgrade-linux-image-oracle-lts-24-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-6-8ubuntu-upgrade-linux-image-raspi-nolpaeubuntu-upgrade-linux-image-raspi-realtimeubuntu-upgrade-linux-image-raspi-realtime-6-8ubuntu-upgrade-linux-image-realtimeubuntu-upgrade-linux-image-realtime-6-8-1ubuntu-upgrade-linux-image-realtime-hwe-22-04ubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-6-8ubuntu-upgrade-linux-image-virtual-hwe-20-04ubuntu-upgrade-linux-image-virtual-hwe-22-04ubuntu-upgrade-linux-image-virtual-hwe-24-04ubuntu-upgrade-linux-image-xilinx-zynqmp

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today