CVE-2025-22021

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue concerns a vulnerability in the Linux kernel's netfilter socket implementation. Specifically, the IPv6 counterpart of the nf sk lookup slow v4 function, nf sk lookup slow v6, lacks a conntrack lookup. This omission causes xt socket to fail in matching the socket when a packet has been SNATed. The vulnerability affects IPv6 SNAT used in Kubernetes clusters for pod-to-world packets, where pod addresses in the fd00::/8 ULA subnet need to be replaced with the node's external address. Cilium, which leverages Envoy for L7 policy enforcement and uses transparent sockets, is impacted as its iptables prerouting rule fails to match SNATed IPv6 packets due to the missing conntrack lookup.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.