CVE-2025-68762 Overview
CVE-2025-68762 is a Linux kernel vulnerability in the net/netpoll subsystem. The flaw triggers a kernel warning when netconsole setup fails on network devices flagged with IFF_DISABLE_NETPOLL. The cleanup path attempts to cancel an uninitialized work queue, producing a WARN at kernel/workqueue.c:4242 inside __flush_work. The upstream fix moves INIT_WORK() to the start of __netpoll_setup() so the work queue exists before any early failure path runs. The issue is a reliability and logging defect rather than a remote attack vector.
Critical Impact
Local kernel warnings and noisy stack traces when configuring netconsole on devices that disable netpoll, with no confirmed remote exploitation path.
Affected Products
- Linux kernel versions containing the __netpoll_setup() cleanup path prior to the fix
- Distributions shipping affected stable kernel branches referenced in the upstream commits
- Systems using netconsole on devices that advertise the IFF_DISABLE_NETPOLL flag
Discovery Timeline
- 2026-01-05 - CVE-2025-68762 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-68762
Vulnerability Analysis
The defect lives in the Linux kernel networking polling layer used by netconsole and similar in-kernel emergency network paths. When __netpoll_setup() runs against a device that sets IFF_DISABLE_NETPOLL, the function returns an error early. The error path invokes skb_pool_flush(), which calls cancel_work_sync(&np->refill_wq) to tear down the refill work queue. At that point in the original code, refill_wq has not yet been initialized through INIT_WORK(). The workqueue core detects the inconsistency and emits a warning at __flush_work. The result is a kernel log warning with a backtrace rather than memory corruption or privilege escalation.
Root Cause
The root cause is an ordering issue in setup and teardown logic. The cleanup helper assumes refill_wq is always initialized, but __netpoll_setup() could fail before reaching INIT_WORK(). This is an uninitialized state usage pattern in an error-handling path, classifiable broadly under improper initialization in kernel resource management.
Attack Vector
No network-reachable attack vector is documented. Reproduction requires local privileges to configure netconsole and a target network interface that exposes IFF_DISABLE_NETPOLL. An EPSS probability near 0.032% and the absence of any public exploit or CISA KEV listing indicate the issue is operational rather than adversarial. Impact is limited to log noise, possible monitoring false positives, and degraded confidence in kernel health signals.
No verified exploit code is available. The upstream patches reorder INIT_WORK() to run before any error-return path in __netpoll_setup(), so the cleanup function can safely call cancel_work_sync() regardless of where setup fails. See the kernel.org stable commit a90d0dc38a10 for the canonical fix.
Detection Methods for CVE-2025-68762
Indicators of Compromise
- Kernel warning entries referencing __flush_work at kernel/workqueue.c:4242 in dmesg or journalctl -k output
- Stack traces containing cancel_work_sync, skb_pool_flush, and __netpoll_setup frames
- Failed netconsole module loads or configuration attempts against interfaces with IFF_DISABLE_NETPOLL
Detection Strategies
- Grep kernel ring buffers for the signature WARNING: CPU.*__flush_work combined with netpoll symbols
- Correlate netconsole configuration commands in audit logs with subsequent kernel warnings
- Track kernel package versions against the fixed commits to identify exposed hosts in inventory
Monitoring Recommendations
- Forward kern.warning syslog facility messages to a centralized log platform for backtrace pattern matching
- Alert on repeated __netpoll_setup failures, which may indicate misconfiguration or scripted probing
- Baseline netconsole usage so unexpected setup attempts on production hosts surface quickly
How to Mitigate CVE-2025-68762
Immediate Actions Required
- Apply vendor kernel updates that incorporate the upstream net: netpoll initialization fix
- Avoid configuring netconsole against interfaces reporting IFF_DISABLE_NETPOLL until patched
- Audit automation that loads or reconfigures netconsole at boot to prevent repeated failure paths
Patch Information
The fix moves INIT_WORK(&np->refill_wq, ...) to the start of __netpoll_setup() so the cleanup path can safely call cancel_work_sync(). The change is captured in the following upstream stable commits: 760bc6ceda8e, a90d0dc38a10, and e5235eb6cfe0. Distribution maintainers backport these commits into supported stable kernel branches.
Workarounds
- Disable or skip netconsole configuration on interfaces known to set IFF_DISABLE_NETPOLL
- Suppress non-actionable kernel warnings in monitoring rules only after confirming the source matches this CVE signature
- Restrict CAP_SYS_ADMIN and module loading privileges to limit who can trigger the failing setup path
# Verify running kernel and check for the netpoll warning signature
uname -r
dmesg | grep -E 'netpoll|__flush_work|refill_wq'
# Identify interfaces likely to trigger the path (IFF_DISABLE_NETPOLL is set by some virtual devices)
ip -d link show | grep -E 'team|bond|bridge'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

