CVE-2025-40363

Vulnerability

In the Linux kernel's IPsec subsystem, the *ah6_output() and *ah6_output_done() functions triggered a memcpy: detected field-spanning write warning when copying IPv6 extension headers. The memcpy attempted to write up to 40 bytes into the top_iph->saddr field, which is only 16 bytes wide (the size of an IPv6 address). However, the extension headers are deliberately placed immediately after the IPv6 header in memory, so this write is actually safe. The warning is a false positive from the fortified string APIs [1].

Attack

Vector

No special privileges or network conditions are required to trigger the warning. The alert occurs during normal processing of IPv6 packets with extension headers that pass through the Authentication Header (AH) output path. No authentication or specific network position is needed; any user or process that sends AH-encapsulated IPv6 traffic can trigger this kernel warning [1].

Impact

Because this is a kernel warning (WARN_ON) rather than an error, the immediate impact is limited to a log message and a stack trace. However, depending on the kernel's configuration, repeated warnings could degrade performance or, in systems with panic-on-warn enabled, cause a full system crash. No memory corruption or privilege escalation has been reported [1].

Mitigation

The Linux kernel community fixed the issue by separating the copy of the IPv6 addresses and extension headers into two distinct operations, and by introducing helper functions to avoid code duplication. This eliminates the false warning while preserving functional correctness. The fix is included in the stable kernel trees referenced in [1], [2], and [3]. Systems that have panic-on-warn set should be updated as soon as possible to prevent potential denial-of-service.