{"api_version":"1","generated_at":"2026-05-13T11:05:22+00:00","cve":"CVE-2025-39770","urls":{"html":"https://cve.report/CVE-2025-39770","api":"https://cve.report/api/cve/CVE-2025-39770.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-39770","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-39770"},"summary":{"title":"net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM\n\nWhen performing Generic Segmentation Offload (GSO) on an IPv6 packet that\ncontains extension headers, the kernel incorrectly requests checksum offload\nif the egress device only advertises NETIF_F_IPV6_CSUM feature, which has\na strict contract: it supports checksum offload only for plain TCP or UDP\nover IPv6 and explicitly does not support packets with extension headers.\nThe current GSO logic violates this contract by failing to disable the feature\nfor packets with extension headers, such as those used in GREoIPv6 tunnels.\n\nThis violation results in the device being asked to perform an operation\nit cannot support, leading to a `skb_warn_bad_offload` warning and a collapse\nof network throughput. While device TSO/USO is correctly bypassed in favor\nof software GSO for these packets, the GSO stack must be explicitly told not\nto request checksum offload.\n\nMask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4\nin gso_features_check if the IPv6 header contains extension headers to compute\nchecksum in software.\n\nThe exception is a BIG TCP extension, which, as stated in commit\n68e068cabd2c6c53 (\"net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\"):\n\"The feature is only enabled on devices that support BIG TCP TSO.\nThe header is only present for PF_PACKET taps like tcpdump,\nand not transmitted by physical devices.\"\n\nkernel log output (truncated):\nWARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140\n...\nCall Trace:\n <TASK>\n skb_checksum_help+0x12a/0x1f0\n validate_xmit_skb+0x1a3/0x2d0\n validate_xmit_skb_list+0x4f/0x80\n sch_direct_xmit+0x1a2/0x380\n __dev_xmit_skb+0x242/0x670\n __dev_queue_xmit+0x3fc/0x7f0\n ip6_finish_output2+0x25e/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]\n ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]\n dev_hard_start_xmit+0x63/0x1c0\n __dev_queue_xmit+0x6d0/0x7f0\n ip6_finish_output2+0x214/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n inet6_csk_xmit+0xeb/0x150\n __tcp_transmit_skb+0x555/0xa80\n tcp_write_xmit+0x32a/0xe90\n tcp_sendmsg_locked+0x437/0x1110\n tcp_sendmsg+0x2f/0x50\n...\nskb linear:   00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e\nskb linear:   00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00\nskb linear:   00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00\nskb linear:   00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00\nskb linear:   00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9\nskb linear:   00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01\nskb linear:   00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a","state":"PUBLISHED","assigner":"Linux","published_at":"2025-09-11 17:15:42","updated_at":"2026-05-12 13:17:10"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","name":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/041e2f945f82fdbd6fff577b79c33469430297aa","name":"https://git.kernel.org/stable/c/041e2f945f82fdbd6fff577b79c33469430297aa","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/794ddbb7b63b6828c75967b9bcd43b086716e7a1","name":"https://git.kernel.org/stable/c/794ddbb7b63b6828c75967b9bcd43b086716e7a1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/864e3396976ef41de6cc7bc366276bf4e084fff2","name":"https://git.kernel.org/stable/c/864e3396976ef41de6cc7bc366276bf4e084fff2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-032379.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-032379.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a0478d7e888028f85fa7785ea838ce0ca09398e2","name":"https://git.kernel.org/stable/c/a0478d7e888028f85fa7785ea838ce0ca09398e2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2156d9e9f2e483c8c3906c0ea57ea312c1424235","name":"https://git.kernel.org/stable/c/2156d9e9f2e483c8c3906c0ea57ea312c1424235","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-39770","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39770","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a84978a9cda68f0afe3f01d476c68db21526baf1 a0478d7e888028f85fa7785ea838ce0ca09398e2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c69bc67c1cb211aa390bea6e512bb01b1241fefb 2156d9e9f2e483c8c3906c0ea57ea312c1424235 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 04c20a9356f283da623903e81e7c6d5df7e4dc3c 041e2f945f82fdbd6fff577b79c33469430297aa git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 04c20a9356f283da623903e81e7c6d5df7e4dc3c 794ddbb7b63b6828c75967b9bcd43b086716e7a1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 04c20a9356f283da623903e81e7c6d5df7e4dc3c 864e3396976ef41de6cc7bc366276bf4e084fff2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected bcefc3cd7f592a70fcbbbfd7ad1fbc69172ea78b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 477b35d94a21530046fe91589960732fcf2b29ed git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a27a5c40ee4cbe00294e2c76160de5f2589061ba git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9f605135a5c0fe614c2b15197b9ced1e217eca59 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 705350fbd6ed4b5d89ee045fa57a0594a72b17d7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.149 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.103 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.44 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.16.4 6.16.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.17 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC CN 4100","version":"affected V5.0 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"39770","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2025-11-03T17:43:12.813Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC CN 4100","vendor":"Siemens","versions":[{"lessThan":"V5.0","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T12:06:52.514Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-032379.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/core/dev.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"a0478d7e888028f85fa7785ea838ce0ca09398e2","status":"affected","version":"a84978a9cda68f0afe3f01d476c68db21526baf1","versionType":"git"},{"lessThan":"2156d9e9f2e483c8c3906c0ea57ea312c1424235","status":"affected","version":"c69bc67c1cb211aa390bea6e512bb01b1241fefb","versionType":"git"},{"lessThan":"041e2f945f82fdbd6fff577b79c33469430297aa","status":"affected","version":"04c20a9356f283da623903e81e7c6d5df7e4dc3c","versionType":"git"},{"lessThan":"794ddbb7b63b6828c75967b9bcd43b086716e7a1","status":"affected","version":"04c20a9356f283da623903e81e7c6d5df7e4dc3c","versionType":"git"},{"lessThan":"864e3396976ef41de6cc7bc366276bf4e084fff2","status":"affected","version":"04c20a9356f283da623903e81e7c6d5df7e4dc3c","versionType":"git"},{"status":"affected","version":"bcefc3cd7f592a70fcbbbfd7ad1fbc69172ea78b","versionType":"git"},{"status":"affected","version":"477b35d94a21530046fe91589960732fcf2b29ed","versionType":"git"},{"status":"affected","version":"a27a5c40ee4cbe00294e2c76160de5f2589061ba","versionType":"git"},{"status":"affected","version":"9f605135a5c0fe614c2b15197b9ced1e217eca59","versionType":"git"},{"status":"affected","version":"705350fbd6ed4b5d89ee045fa57a0594a72b17d7","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/core/dev.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.12"},{"lessThan":"6.12","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.149","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.103","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.44","versionType":"semver"},{"lessThanOrEqual":"6.16.*","status":"unaffected","version":"6.16.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.17","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.149","versionStartIncluding":"6.1.116","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.103","versionStartIncluding":"6.6.60","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.44","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.16.4","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.17","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.323","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.285","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.229","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.171","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.7","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM\n\nWhen performing Generic Segmentation Offload (GSO) on an IPv6 packet that\ncontains extension headers, the kernel incorrectly requests checksum offload\nif the egress device only advertises NETIF_F_IPV6_CSUM feature, which has\na strict contract: it supports checksum offload only for plain TCP or UDP\nover IPv6 and explicitly does not support packets with extension headers.\nThe current GSO logic violates this contract by failing to disable the feature\nfor packets with extension headers, such as those used in GREoIPv6 tunnels.\n\nThis violation results in the device being asked to perform an operation\nit cannot support, leading to a `skb_warn_bad_offload` warning and a collapse\nof network throughput. While device TSO/USO is correctly bypassed in favor\nof software GSO for these packets, the GSO stack must be explicitly told not\nto request checksum offload.\n\nMask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4\nin gso_features_check if the IPv6 header contains extension headers to compute\nchecksum in software.\n\nThe exception is a BIG TCP extension, which, as stated in commit\n68e068cabd2c6c53 (\"net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\"):\n\"The feature is only enabled on devices that support BIG TCP TSO.\nThe header is only present for PF_PACKET taps like tcpdump,\nand not transmitted by physical devices.\"\n\nkernel log output (truncated):\nWARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140\n...\nCall Trace:\n <TASK>\n skb_checksum_help+0x12a/0x1f0\n validate_xmit_skb+0x1a3/0x2d0\n validate_xmit_skb_list+0x4f/0x80\n sch_direct_xmit+0x1a2/0x380\n __dev_xmit_skb+0x242/0x670\n __dev_queue_xmit+0x3fc/0x7f0\n ip6_finish_output2+0x25e/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]\n ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]\n dev_hard_start_xmit+0x63/0x1c0\n __dev_queue_xmit+0x6d0/0x7f0\n ip6_finish_output2+0x214/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n inet6_csk_xmit+0xeb/0x150\n __tcp_transmit_skb+0x555/0xa80\n tcp_write_xmit+0x32a/0xe90\n tcp_sendmsg_locked+0x437/0x1110\n tcp_sendmsg+0x2f/0x50\n...\nskb linear:   00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e\nskb linear:   00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00\nskb linear:   00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00\nskb linear:   00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00\nskb linear:   00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9\nskb linear:   00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01\nskb linear:   00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a"}],"providerMetadata":{"dateUpdated":"2026-05-11T21:35:55.270Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/a0478d7e888028f85fa7785ea838ce0ca09398e2"},{"url":"https://git.kernel.org/stable/c/2156d9e9f2e483c8c3906c0ea57ea312c1424235"},{"url":"https://git.kernel.org/stable/c/041e2f945f82fdbd6fff577b79c33469430297aa"},{"url":"https://git.kernel.org/stable/c/794ddbb7b63b6828c75967b9bcd43b086716e7a1"},{"url":"https://git.kernel.org/stable/c/864e3396976ef41de6cc7bc366276bf4e084fff2"}],"title":"net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-39770","datePublished":"2025-09-11T16:56:24.446Z","dateReserved":"2025-04-16T07:20:57.128Z","dateUpdated":"2026-05-12T12:06:52.514Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-09-11 17:15:42","lastModifiedDate":"2026-05-12 13:17:10","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.323","versionEndExcluding":"4.20","matchCriteriaId":"463063B3-3A9A-420D-A07B-46284CE30207"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.285","versionEndExcluding":"5.5","matchCriteriaId":"0F89CEF5-BEBB-4C4B-925A-D5644DDD9764"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.229","versionEndExcluding":"5.11","matchCriteriaId":"11390F38-11AA-4957-9789-9E4FB50D9C89"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.171","versionEndExcluding":"5.16","matchCriteriaId":"8FA383FE-32A6-400A-B7BA-ECFA9FEEF84B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.116","versionEndExcluding":"6.1.149","matchCriteriaId":"FDD7C5F7-53EA-4840-B0D1-2EECFDEB1261"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.60","versionEndExcluding":"6.6.103","matchCriteriaId":"4B8AAC28-B719-4190-A42F-9C272311A834"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.7","versionEndExcluding":"6.12","matchCriteriaId":"1D208D31-DEC5-4B68-A52D-F1CB80565CD7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.1","versionEndExcluding":"6.12.44","matchCriteriaId":"1820D1FE-F8CB-47B8-8C4B-8A5E0794993B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.16.4","matchCriteriaId":"AFC28995-B8C3-4B68-8CB6-78E792B6629D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:-:*:*:*:*:*:*","matchCriteriaId":"0E698080-7669-4132-8817-4C674EEBCE54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*","matchCriteriaId":"24B88717-53F5-42AA-9B72-14C707639E3F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc7:*:*:*:*:*:*","matchCriteriaId":"1EF8CD82-1EAE-4254-9545-F85AB94CF90F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*","matchCriteriaId":"327D22EF-390B-454C-BD31-2ED23C998A1C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*","matchCriteriaId":"C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"39770","Ordinal":"1","Title":"net: gso: Forbid IPv6 TSO with extensions on devices with only I","CVE":"CVE-2025-39770","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"39770","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM\n\nWhen performing Generic Segmentation Offload (GSO) on an IPv6 packet that\ncontains extension headers, the kernel incorrectly requests checksum offload\nif the egress device only advertises NETIF_F_IPV6_CSUM feature, which has\na strict contract: it supports checksum offload only for plain TCP or UDP\nover IPv6 and explicitly does not support packets with extension headers.\nThe current GSO logic violates this contract by failing to disable the feature\nfor packets with extension headers, such as those used in GREoIPv6 tunnels.\n\nThis violation results in the device being asked to perform an operation\nit cannot support, leading to a `skb_warn_bad_offload` warning and a collapse\nof network throughput. While device TSO/USO is correctly bypassed in favor\nof software GSO for these packets, the GSO stack must be explicitly told not\nto request checksum offload.\n\nMask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4\nin gso_features_check if the IPv6 header contains extension headers to compute\nchecksum in software.\n\nThe exception is a BIG TCP extension, which, as stated in commit\n68e068cabd2c6c53 (\"net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\"):\n\"The feature is only enabled on devices that support BIG TCP TSO.\nThe header is only present for PF_PACKET taps like tcpdump,\nand not transmitted by physical devices.\"\n\nkernel log output (truncated):\nWARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140\n...\nCall Trace:\n <TASK>\n skb_checksum_help+0x12a/0x1f0\n validate_xmit_skb+0x1a3/0x2d0\n validate_xmit_skb_list+0x4f/0x80\n sch_direct_xmit+0x1a2/0x380\n __dev_xmit_skb+0x242/0x670\n __dev_queue_xmit+0x3fc/0x7f0\n ip6_finish_output2+0x25e/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]\n ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]\n dev_hard_start_xmit+0x63/0x1c0\n __dev_queue_xmit+0x6d0/0x7f0\n ip6_finish_output2+0x214/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n inet6_csk_xmit+0xeb/0x150\n __tcp_transmit_skb+0x555/0xa80\n tcp_write_xmit+0x32a/0xe90\n tcp_sendmsg_locked+0x437/0x1110\n tcp_sendmsg+0x2f/0x50\n...\nskb linear:   00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e\nskb linear:   00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00\nskb linear:   00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00\nskb linear:   00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00\nskb linear:   00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9\nskb linear:   00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01\nskb linear:   00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a","Type":"Description","Title":"net: gso: Forbid IPv6 TSO with extensions on devices with only I"}]}}}