CVE-2025-38192: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel was discovered related to NAT46 BPF program handling, identified as CVE-2025-38192. The issue was disclosed on July 4, 2025, affecting the Linux kernel's network stack. The vulnerability occurs when a NAT46 BPF program indiscriminately flips ingress packets from IPv4 to IPv6, potentially leading to a kernel crash due to NULL pointer dereference (NVD CVE, Debian Tracker).

The vulnerability manifests when a NAT46 BPF program changes ingress packets from IPv4 to IPv6 without proper validation. The issue occurs in the network stack where the output interface has a 4->6 program attached at ingress. When attempting to loop the multicast skb back to the sending socket, the ingress BPF runs as part of netifrx(), pushes a valid v6 header and changes skb->protocol to v6. The problem arises when ip6rcvcore tries to use skbdst(), but the dst is still an IPv4 one left after IPv4 multicast output, resulting in a NULL pointer dereference (CVE Details).

The vulnerability can cause a kernel crash through NULL pointer dereference when processing network packets, potentially leading to system instability and denial of service. This affects systems running the Linux kernel with NAT46 BPF programs configured (NVD CVE).

The fix involves clearing the dst in all BPF helpers which change the protocol while preserving metadata dsts that may carry non-routing metadata. The vulnerability has been resolved in various Linux distributions, with fixed versions available. For Debian, the fix is included in version 6.12.35-1 and later (Debian Tracker).