IPv6 SNAT Vulnerability in Linux Kernel Affecting Network Traffic Management
CVE-2025-22021

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 16 April 2025

Summary

This vulnerability exists due to a missing connection tracking mechanism in the IPv6 SNAT implementation within the Linux kernel. Specifically, while the process for IPv4 packets correctly restores the original 5-tuple during SNAT operations, the corresponding logic for IPv6 packets currently lacks adequate conntrack lookup. This deficiency leads to failures in matching SNATed IPv6 packets when using tools like Cilium and Envoy, particularly in Kubernetes environments. As a result, packets might not be correctly processed, hindering effective network traffic management and policy enforcement.

Affected Version(s)

Linux eb31628e37a0a4e01fffd79dcc7f815d2357f53a < 6488b96a79a26e19100ad872622f04e93b638d7f

Linux eb31628e37a0a4e01fffd79dcc7f815d2357f53a < 58ab63d3ded2ca6141357a2b24eee8453d0f871d

Linux eb31628e37a0a4e01fffd79dcc7f815d2357f53a < 1ca2169cc19dca893c7aae6af122852097435d16

References

https://git.kernel.org/stable/c/6488b96a79a26e19100ad8726...

https://git.kernel.org/stable/c/58ab63d3ded2ca6141357a2b2...

https://git.kernel.org/stable/c/1ca2169cc19dca893c7aae6af...

Timeline

Vulnerability published
Apr 16, 2025
Vulnerability Reserved
Dec 29, 2024