CVE-2025-22021

netfilter: socket: Lookup orig tuple for IPv6 SNAT

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: netfilter: socket: Lookup orig tuple for IPv6 SNAT nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to
restore the original 5-tuple in case of SNAT, to be able to find the
right socket (if any). Then socket_match() can correctly check whether
the socket was transparent. However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this
conntrack lookup, making xt_socket fail to match on the socket when the
packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6. IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as
pods' addresses are in the fd00::/8 ULA subnet and need to be replaced
with the node's external address. Cilium leverages Envoy to enforce L7
policies, and Envoy uses transparent sockets. Cilium inserts an iptables
prerouting rule that matches on `-m socket --transparent` and redirects
the packets to localhost, but it fails to match SNATed IPv6 packets due
to that missing conntrack lookup.

In the Linux kernel, the following vulnerability has been resolved: netfilter: socket: Lookup orig tuple for IPv6 SNAT nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to restore the original 5-tuple in case of SNAT, to be able to find the right socket (if any). Then socket_match() can correctly check whether the socket was transparent. However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this conntrack lookup, making xt_socket fail to match on the socket when the packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6. IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as pods' addresses are in the fd00::/8 ULA subnet and need to be replaced with the node's external address. Cilium leverages Envoy to enforce L7 policies, and Envoy uses transparent sockets. Cilium inserts an iptables prerouting rule that matches on `-m socket --transparent` and redirects the packets to localhost, but it fails to match SNATed IPv6 packets due to that missing conntrack lookup.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-04-16 CVE Published
2025-04-16 CVE Updated
2025-04-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/eb31628e37a0a4e01fffd79dcc7f815d2357f53a	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/6488b96a79a26e19100ad872622f04e93b638d7f	2025-04-10
https://git.kernel.org/stable/c/58ab63d3ded2ca6141357a2b24eee8453d0f871d	2025-04-10
https://git.kernel.org/stable/c/1ca2169cc19dca893c7aae6af122852097435d16	2025-04-10
https://git.kernel.org/stable/c/1ec43100f7123010730b7ddfc3d5c2eac19e70e7	2025-04-07
https://git.kernel.org/stable/c/5251041573850e5020cd447374e23010be698898	2025-04-07
https://git.kernel.org/stable/c/2bb139e483f8cbe488d19d8c1135ac3615e2668c	2025-04-07
https://git.kernel.org/stable/c/41904cbb343d115931d6bf79aa2c815cac4ef72b	2025-04-07
https://git.kernel.org/stable/c/221c27259324ec1404f028d4f5a0f2ae7f63ee23	2025-04-07
https://git.kernel.org/stable/c/932b32ffd7604fb00b5c57e239a3cc4d901ccf6e	2025-03-23

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 5.4.292 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 5.4.292"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 5.10.236 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 5.10.236"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 5.15.180 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 5.15.180"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 6.1.133 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.1.133"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 6.6.86 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.6.86"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 6.12.22 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.12.22"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 6.13.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.13.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 6.14.1 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.14.1"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 6.15-rc1 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.15-rc1"		en		Affected