{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-14T21:21:32.861","vulnerabilities":[{"cve":{"id":"CVE-2025-22021","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-04-16T11:15:42.773","lastModified":"2025-11-03T20:17:38.063","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: socket: Lookup orig tuple for IPv6 SNAT\n\nnf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to\nrestore the original 5-tuple in case of SNAT, to be able to find the\nright socket (if any). Then socket_match() can correctly check whether\nthe socket was transparent.\n\nHowever, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this\nconntrack lookup, making xt_socket fail to match on the socket when the\npacket was SNATed. Add the same logic to nf_sk_lookup_slow_v6.\n\nIPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as\npods' addresses are in the fd00::\/8 ULA subnet and need to be replaced\nwith the node's external address. Cilium leverages Envoy to enforce L7\npolicies, and Envoy uses transparent sockets. Cilium inserts an iptables\nprerouting rule that matches on `-m socket --transparent` and redirects\nthe packets to localhost, but it fails to match SNATed IPv6 packets due\nto that missing conntrack lookup."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: socket: Lookup orig tuple for IPv6 SNAT nf_sk_lookup_slow_v4 realiza la búsqueda conntrack de paquetes IPv4 para restaurar la 5-tupla original en caso de SNAT, para poder encontrar el socket correcto (si lo hay). Entonces socket_match() puede verificar correctamente si el socket era transparente. Sin embargo, la contraparte IPv6 (nf_sk_lookup_slow_v6) carece de esta búsqueda conntrack, lo que hace que xt_socket no coincida en el socket cuando el paquete fue SNATed. Agregue la misma lógica a nf_sk_lookup_slow_v6. SNAT IPv6 se usa en clústeres de Kubernetes para paquetes pod-to-world, ya que las direcciones de los pods están en la subred fd00::\/8 ULA y deben reemplazarse con la dirección externa del nodo. Cilium utiliza Envoy para implementar políticas L7, y Envoy utiliza sockets transparentes. Cilium inserta una regla de preenrutamiento de iptables que coincide con `-m socket --transparent` y redirige los paquetes a localhost, pero no coincide con los paquetes IPv6 SNAT debido a la falta de búsqueda de conntrack."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.4.292","matchCriteriaId":"7F195470-F0D7-4E43-9F03-A295DFCF6531"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.236","matchCriteriaId":"1DF46FB0-9163-4ABE-8CCA-32A497D4715B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.180","matchCriteriaId":"D19801C8-3D18-405D-9989-E6C9B30255FA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.133","matchCriteriaId":"F0054446-3F3B-42C4-BDB3-8FDD29D57F23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.86","matchCriteriaId":"5DB427C2-3400-4B39-AC18-49AECE5221B5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.22","matchCriteriaId":"9F037D3C-D627-4151-8546-1A2E3C2B38A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.10","matchCriteriaId":"E9410CA0-CED8-49BE-9DB4-856654736C32"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:*:*:*:*:*:*:*","matchCriteriaId":"82E37853-46C8-4BB6-9FA4-9838FD34D6A2"}]}]}],"references":[{"url":"https:\/\/git.kernel.org\/stable\/c\/1ca2169cc19dca893c7aae6af122852097435d16","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/1ec43100f7123010730b7ddfc3d5c2eac19e70e7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/221c27259324ec1404f028d4f5a0f2ae7f63ee23","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/2bb139e483f8cbe488d19d8c1135ac3615e2668c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/41904cbb343d115931d6bf79aa2c815cac4ef72b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/5251041573850e5020cd447374e23010be698898","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/58ab63d3ded2ca6141357a2b24eee8453d0f871d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/6488b96a79a26e19100ad872622f04e93b638d7f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/932b32ffd7604fb00b5c57e239a3cc4d901ccf6e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/lists.debian.org\/debian-lts-announce\/2025\/05\/msg00030.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https:\/\/lists.debian.org\/debian-lts-announce\/2025\/05\/msg00045.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}