Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68768

CVE-2025-68768: Linux Kernel DoS Vulnerability

CVE-2025-68768 is a denial of service flaw in the Linux kernel that causes deadlocks due to fragment queue handling issues. This article covers the technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-68768 Overview

A deadlock vulnerability has been discovered in the Linux kernel's network fragment handling subsystem. The issue occurs in the inet: frags component where pending socket buffers (skbs) are not properly flushed during the fqdir_pre_exit() function, leading to potential system deadlocks on pernet_ops_rwsem.

Critical Impact

This vulnerability can cause system deadlocks when loading kernel modules, particularly affecting drivers like ipvlan, due to improper ordering of network namespace exit hooks between conntrack and nf_defrag_ipv6.

Affected Products

  • Linux kernel (versions with affected inet: frags implementation)
  • Systems using IPv6 defragmentation with conntrack
  • Network configurations utilizing ipvlan or similar drivers

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68768 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68768

Vulnerability Analysis

The vulnerability resides in the Linux kernel's IP fragment queue management system. When the nf_defrag_ipv6 module loads before conntrack, a race condition emerges in the cleanup sequence during network namespace exit. The nf_conntrack_cleanup_net_list() function enters an infinite loop while holding the pernet_ops_rwsem read lock, blocking other processes (typically modprobe loading drivers) that need to acquire the lock as a writer.

The root cause stems from socket buffers (skbs) remaining in fragmentation queues with active conntrack references. Since nf_defrag_ipv6 loads first, its netns exit hooks run after conntrack's netns exit hook, creating a dependency ordering problem. The conntrack cleanup cannot complete because skbs in the fragment queue still hold conntrack references that were not released during the pre-exit phase.

Root Cause

The fundamental issue is the missing flush operation for fragment queue SKBs during the fqdir_pre_exit() function. When conntrack attempts to clean up network namespace resources, it spins indefinitely because fragment queues still contain skbs holding conntrack references. The module load order (nf_defrag_ipv6 before conntrack) causes the exit hook ordering to be reversed, preventing proper cleanup sequencing.

Attack Vector

This vulnerability manifests as a local denial of service condition. The attack vector requires specific timing conditions where:

  1. IP defragmentation tests or operations leave skbs in fragment queues
  2. A kernel module load triggers acquisition of pernet_ops_rwsem as a writer
  3. Conntrack cleanup is simultaneously running, holding the lock as a reader while looping indefinitely

The deadlock can be triggered through normal system operations such as running network tests followed by driver module loading, making it a reliability issue rather than a traditional security exploit.

Detection Methods for CVE-2025-68768

Indicators of Compromise

  • System hangs during kernel module loading operations, particularly network drivers like ipvlan
  • Processes stuck in uninterruptible sleep state while attempting to load modules via modprobe
  • Kernel log messages showing conntrack cleanup taking unusually long or appearing stuck
  • High CPU usage in kernel context associated with nf_conntrack_cleanup_net_list()

Detection Strategies

  • Monitor for processes stuck waiting on pernet_ops_rwsem lock acquisition using kernel debugging tools
  • Implement watchdog timers on critical module loading operations to detect prolonged delays
  • Use lockdep debugging to track rwsem lock states and identify potential deadlock patterns
  • Monitor system logs for patterns indicating the vulnerability, such as repeated conntrack cleanup iterations

Monitoring Recommendations

  • Enable kernel lockdep warnings in development and testing environments to catch potential deadlock scenarios
  • Implement alerting for module load operations that exceed expected duration thresholds
  • Monitor fragment queue statistics for skbs that persist beyond normal timeout periods
  • Track conntrack table cleanup operations for abnormal timing patterns

How to Mitigate CVE-2025-68768

Immediate Actions Required

  • Apply the kernel patches that add flush operations in fqdir_pre_exit() to release conntrack references
  • Review and test network namespace cleanup sequences in affected environments
  • Avoid running IP defragmentation tests immediately before loading network driver modules
  • Consider upgrading to patched kernel versions where available

Patch Information

The fix involves flushing all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Additionally, the patch adds flush operations in timer expiry handlers when fqdir->dead is detected, handling cases where packets arrive during the pre_exit flush.

Official patches are available through the Linux kernel stable tree:

Workarounds

  • Avoid sequential operations that combine IP defragmentation tests with immediate module loading
  • Implement delays between network testing operations and driver module initialization
  • Consider unloading nf_defrag_ipv6 and conntrack modules in the correct order when performing maintenance operations
  • Monitor and restart affected processes if deadlock conditions are detected before patch deployment
bash
# Configuration example
# Verify current kernel version and check for patches
uname -r

# Monitor for stuck processes related to module loading
ps aux | grep -E "(modprobe|insmod)" | grep -v grep

# Check conntrack module status
lsmod | grep nf_conntrack

# View fragment queue statistics (if available)
cat /proc/net/ip_conntrack_count 2>/dev/null || echo "Check dmesg for conntrack status"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.