CVE-2025-47268: 
Linux Debian vulnerability analysis and mitigation

A vulnerability has been discovered in the ping utility of iputils through version 20240905, identified as CVE-2025-47268. The vulnerability was disclosed on May 5, 2025, and involves a denial of service condition caused by a signed 64-bit integer overflow in timestamp multiplication during RTT (Round Trip Time) calculations (NVD, Wiz).

The vulnerability exists in pingcommon.c where the RTT computation multiplies tv->tvsec (a signed 64-bit long controlled via ICMP payload) by 1,000,000 without overflow checks. This multiplication can exceed LONGMAX, triggering a signed integer overflow (CWE-190). Under AddressSanitizer (ASan), this manifests as a runtime error, while in non-ASan builds it silently wraps to zero. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (NVD, [SUSE Bugzilla](https://bugzilla.suse.com/showbug.cgi?id=1242300)).

When exploited, this vulnerability can cause a denial of service through application errors or incorrect data collection. Specifically, it can result in repeated zero-RTT readings and incorrect statistics in the ping utility, potentially affecting network monitoring and diagnostics (Wiz, GitHub Issue).

A fix has been proposed that modifies the RTT computation to use proper value clamping and implements checks to ensure the result stays within valid ranges. The fix includes validation of tvusec values and proper handling of negative tvsec values (GitHub PR).