CVE-2025-68768 Overview
A deadlock vulnerability has been discovered in the Linux kernel's network fragment handling subsystem. The issue occurs in the inet: frags component where pending socket buffers (skbs) are not properly flushed during the fqdir_pre_exit() function, leading to potential system deadlocks on pernet_ops_rwsem.
Critical Impact
This vulnerability can cause system deadlocks when loading kernel modules, particularly affecting drivers like ipvlan, due to improper ordering of network namespace exit hooks between conntrack and nf_defrag_ipv6.
Affected Products
- Linux kernel (versions with affected inet: frags implementation)
- Systems using IPv6 defragmentation with conntrack
- Network configurations utilizing ipvlan or similar drivers
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68768 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68768
Vulnerability Analysis
The vulnerability resides in the Linux kernel's IP fragment queue management system. When the nf_defrag_ipv6 module loads before conntrack, a race condition emerges in the cleanup sequence during network namespace exit. The nf_conntrack_cleanup_net_list() function enters an infinite loop while holding the pernet_ops_rwsem read lock, blocking other processes (typically modprobe loading drivers) that need to acquire the lock as a writer.
The root cause stems from socket buffers (skbs) remaining in fragmentation queues with active conntrack references. Since nf_defrag_ipv6 loads first, its netns exit hooks run after conntrack's netns exit hook, creating a dependency ordering problem. The conntrack cleanup cannot complete because skbs in the fragment queue still hold conntrack references that were not released during the pre-exit phase.
Root Cause
The fundamental issue is the missing flush operation for fragment queue SKBs during the fqdir_pre_exit() function. When conntrack attempts to clean up network namespace resources, it spins indefinitely because fragment queues still contain skbs holding conntrack references. The module load order (nf_defrag_ipv6 before conntrack) causes the exit hook ordering to be reversed, preventing proper cleanup sequencing.
Attack Vector
This vulnerability manifests as a local denial of service condition. The attack vector requires specific timing conditions where:
- IP defragmentation tests or operations leave skbs in fragment queues
- A kernel module load triggers acquisition of pernet_ops_rwsem as a writer
- Conntrack cleanup is simultaneously running, holding the lock as a reader while looping indefinitely
The deadlock can be triggered through normal system operations such as running network tests followed by driver module loading, making it a reliability issue rather than a traditional security exploit.
Detection Methods for CVE-2025-68768
Indicators of Compromise
- System hangs during kernel module loading operations, particularly network drivers like ipvlan
- Processes stuck in uninterruptible sleep state while attempting to load modules via modprobe
- Kernel log messages showing conntrack cleanup taking unusually long or appearing stuck
- High CPU usage in kernel context associated with nf_conntrack_cleanup_net_list()
Detection Strategies
- Monitor for processes stuck waiting on pernet_ops_rwsem lock acquisition using kernel debugging tools
- Implement watchdog timers on critical module loading operations to detect prolonged delays
- Use lockdep debugging to track rwsem lock states and identify potential deadlock patterns
- Monitor system logs for patterns indicating the vulnerability, such as repeated conntrack cleanup iterations
Monitoring Recommendations
- Enable kernel lockdep warnings in development and testing environments to catch potential deadlock scenarios
- Implement alerting for module load operations that exceed expected duration thresholds
- Monitor fragment queue statistics for skbs that persist beyond normal timeout periods
- Track conntrack table cleanup operations for abnormal timing patterns
How to Mitigate CVE-2025-68768
Immediate Actions Required
- Apply the kernel patches that add flush operations in fqdir_pre_exit() to release conntrack references
- Review and test network namespace cleanup sequences in affected environments
- Avoid running IP defragmentation tests immediately before loading network driver modules
- Consider upgrading to patched kernel versions where available
Patch Information
The fix involves flushing all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Additionally, the patch adds flush operations in timer expiry handlers when fqdir->dead is detected, handling cases where packets arrive during the pre_exit flush.
Official patches are available through the Linux kernel stable tree:
Workarounds
- Avoid sequential operations that combine IP defragmentation tests with immediate module loading
- Implement delays between network testing operations and driver module initialization
- Consider unloading nf_defrag_ipv6 and conntrack modules in the correct order when performing maintenance operations
- Monitor and restart affected processes if deadlock conditions are detected before patch deployment
# Configuration example
# Verify current kernel version and check for patches
uname -r
# Monitor for stuck processes related to module loading
ps aux | grep -E "(modprobe|insmod)" | grep -v grep
# Check conntrack module status
lsmod | grep nf_conntrack
# View fragment queue statistics (if available)
cat /proc/net/ip_conntrack_count 2>/dev/null || echo "Check dmesg for conntrack status"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
