FKIE_CVE-2025-68241

Vulnerability from fkie_nvd - Published: 2025-12-16 15:15 - Updated: 2026-06-17 09:58
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94
Impacted products
Vendor Product Version
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "69d35c12168f9c59b159ae566f77dfad9f96d7ca",
              "status": "affected",
              "version": "e46e23c289f62ccd8e2230d9ce652072d777ff30",
              "versionType": "git"
            },
            {
              "lessThan": "4b7210da22429765d19460d38c30eeca72656282",
              "status": "affected",
              "version": "5867e20e1808acd0c832ddea2587e5ee49813874",
              "versionType": "git"
            },
            {
              "lessThan": "298f1e0694ab4edb6092d66efed93c4554e6ced1",
              "status": "affected",
              "version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
              "versionType": "git"
            },
            {
              "lessThan": "b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94",
              "status": "affected",
              "version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
              "versionType": "git"
            },
            {
              "lessThan": "041ab9ca6e80d8f792bb69df28ebf1ef39c06af8",
              "status": "affected",
              "version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
              "versionType": "git"
            },
            {
              "lessThan": "b84f083f50ecc736a95091691339a1b363962f0e",
              "status": "affected",
              "version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
              "versionType": "git"
            },
            {
              "lessThan": "0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0",
              "status": "affected",
              "version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
              "versionType": "git"
            },
            {
              "lessThan": "ac1499fcd40fe06479e9b933347b837ccabc2a40",
              "status": "affected",
              "version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bed8941fbdb72a61f6348c4deb0db69c4de87aca",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f10ce783bcc4d8ea454563a7d56ae781640e7dcb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f484595be6b7ef9d095a32becabb5dae8204fb2a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3e6bd2b583f18da9856fc9741ffa200a74a52cba",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5ae06218331f39ec45b5d039aa7cb3ddd4bb8008",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4589a12dcf80af31137ef202be1ff4a321707a73",
              "versionType": "git"
            },
            {
              "lessThan": "5.4.302",
              "status": "affected",
              "version": "5.4.146",
              "versionType": "semver"
            },
            {
              "lessThan": "5.10.247",
              "status": "affected",
              "version": "5.10.65",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.284",
              "versionType": "semver"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.283",
              "versionType": "semver"
            },
            {
              "lessThan": "4.15",
              "status": "affected",
              "version": "4.14.247",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.207",
              "versionType": "semver"
            },
            {
              "lessThan": "5.14",
              "status": "affected",
              "version": "5.13.17",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15",
              "status": "affected",
              "version": "5.14.4",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe\n\nThe sit driver\u0027s packet transmission path calls: sit_tunnel_xmit() -\u003e\nupdate_or_create_fnhe(), which lead to fnhe_remove_oldest() being called\nto delete entries exceeding FNHE_RECLAIM_DEPTH+random.\n\nThe race window is between fnhe_remove_oldest() selecting fnheX for\ndeletion and the subsequent kfree_rcu(). During this time, the\nconcurrent path\u0027s __mkroute_output() -\u003e find_exception() can fetch the\nsoon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a\nnew dst using a dst_hold(). When the original fnheX is freed via RCU,\nthe dst reference remains permanently leaked.\n\nCPU 0                             CPU 1\n__mkroute_output()\n  find_exception() [fnheX]\n                                  update_or_create_fnhe()\n                                    fnhe_remove_oldest() [fnheX]\n  rt_bind_exception() [bind dst]\n                                  RCU callback [fnheX freed, dst leak]\n\nThis issue manifests as a device reference count leak and a warning in\ndmesg when unregistering the net device:\n\n  unregister_netdevice: waiting for sitX to become free. Usage count = N\n\nIdo Schimmel provided the simple test validation method [1].\n\nThe fix clears \u0027oldest-\u003efnhe_daddr\u0027 before calling fnhe_flush_routes().\nSince rt_bind_exception() checks this field, setting it to zero prevents\nthe stale fnhe from being reused and bound to a new dst just before it\nis freed.\n\n[1]\nip netns add ns1\nip -n ns1 link set dev lo up\nip -n ns1 address add 192.0.2.1/32 dev lo\nip -n ns1 link add name dummy1 up type dummy\nip -n ns1 route add 192.0.2.2/32 dev dummy1\nip -n ns1 link add name gretap1 up arp off type gretap \\\n    local 192.0.2.1 remote 192.0.2.2\nip -n ns1 route add 198.51.0.0/16 dev gretap1\ntaskset -c 0 ip netns exec ns1 mausezahn gretap1 \\\n    -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q \u0026\ntaskset -c 2 ip netns exec ns1 mausezahn gretap1 \\\n    -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q \u0026\nsleep 10\nip netns pids ns1 | xargs kill\nip netns del ns1"
    }
  ],
  "id": "CVE-2025-68241",
  "lastModified": "2026-06-17T09:58:47.443",
  "metrics": {
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-68241",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-06-16T16:24:01.270292Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2025-12-16T15:15:53.283",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.