Linux Kernel Netfilter IPv6 SNAT Socket Matching Vulnerability

Vulnerability

A vulnerability in the Linux kernel's netfilter component affects the handling of IPv6 packets in relation to socket transparency and connection tracking. The issue arises in the 'nf_sk_lookup_slow_v6' function, which fails to perform the necessary connection tracking lookup for IPv6 packets that have been source NATed (SNAT). This omission prevents the 'xt_socket' module from correctly matching SNATed IPv6 packets with the appropriate sockets, disrupting expected network behavior. The vulnerability is particularly relevant in Kubernetes environments using Cilium, where IPv6 SNAT is applied to pod traffic.

Impact

The vulnerability disrupts the correct matching of SNATed IPv6 packets with their corresponding sockets, which can lead to improper handling of network traffic in affected environments.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel Netfilter IPv6 SNAT Socket Matching Vulnerability

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating