CVE-2025-22021: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's netfilter subsystem was discovered and assigned CVE-2025-22021. The issue was disclosed on April 16, 2025, affecting the IPv6 SNAT (Source Network Address Translation) functionality. The vulnerability specifically impacts the nf_sk_lookup_slow_v6 function, which lacks proper conntrack lookup functionality compared to its IPv4 counterpart (NVD).

The vulnerability stems from a missing conntrack lookup in the nf_sk_lookup_slow_v6 function, which is responsible for handling IPv6 SNAT packets. While the IPv4 version (nf_sk_lookup_slow_v4) correctly performs conntrack lookup to restore the original 5-tuple in SNAT cases, the IPv6 implementation lacks this functionality. This causes xt_socket to fail when matching on the socket for SNATed packets. The issue particularly affects Kubernetes clusters where IPv6 SNAT is used for pod-to-world packets, as pods' addresses in the fd00::/8 ULA subnet need translation to the node's external address (NVD, Red Hat).

The vulnerability affects Kubernetes environments using Cilium for network policy enforcement. Specifically, when Cilium uses Envoy to enforce L7 policies with transparent sockets, the iptables prerouting rules that match on -m socket --transparent and redirect packets to localhost fail to match SNATed IPv6 packets due to the missing conntrack lookup (NVD).

Red Hat has marked this vulnerability as having 'Moderate' impact with a CVSS v3 score of 5.5. For Red Hat Enterprise Linux 9, the fix has been deferred, while versions 6 and 7 are not affected. The vulnerability has been resolved in the Linux kernel by adding the same conntrack lookup logic to nf_sk_lookup_slow_v6 that exists in the IPv4 implementation (Red Hat).