CVE-2025-47268

NameCVE-2025-47268
Descriptionping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104746, 1109728

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
iputils (PTS)bullseye3:20210202-1vulnerable
bookworm3:20221126-1+deb12u1vulnerable
trixie3:20240905-3vulnerable
forky, sid3:20250605-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
iputilssource(unstable)3:20250605-1unimportant1104746, 1109728

Notes

https://github.com/iputils/iputils/issues/584
https://github.com/Zephkek/ping-rtt-overflow/
Fixed by: https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40
When fixing this issue make sure to address the fix completely an not open
up CVE-2025-48964.
Followup fix: https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c
Negligible security impact

Search for package or bug name: Reporting problems