CVE-2025-68785 Overview
CVE-2025-68785 is a Linux kernel vulnerability in the Open vSwitch (OVS) subsystem. The flaw resides in the push_nsh() action handler, which fails to validate the middle Netlink attribute nested inside OVS_ACTION_ATTR_PUSH_NSH. The kernel performs a double nla_data() unwrap without verifying that the intermediate attribute is of type OVS_KEY_ATTR_NSH or properly sized. A malformed Netlink message triggers an out-of-bounds read in nsh_hdr_from_nlattr(), as confirmed by a KASAN slab-out-of-bounds report when executing the action.
Critical Impact
A local user with permission to send Open vSwitch Generic Netlink commands can trigger a kernel out-of-bounds read of up to 184 bytes, leading to kernel memory disclosure or denial of service.
Affected Products
- Linux kernel Open vSwitch (openvswitch) module
- Linux kernel 6.18-rc7 and earlier development branches confirmed via KASAN report
- Multiple stable branches receiving backports per the seven upstream commits referenced
Discovery Timeline
- 2026-01-13 - CVE-2025-68785 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-68785
Vulnerability Analysis
The Open vSwitch push_nsh action accepts a nested Netlink attribute structure of the form OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE, ...)). The outermost attribute is validated by nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE, MD1, and MD2 attributes are validated by nla_for_each_nested() inside nsh_key_put_from_nlattr(). The middle attribute, however, receives no validation.
The kernel calls nla_data() twice in sequence to reach the inner payload. The first call occurs directly in validate_push_nsh(), and the second occurs through the nla_for_each_nested() macro. Neither call verifies the type or length of the intermediate attribute. A larger Netlink buffer can mask the issue during validation, but action execution allocates a buffer sized exactly to the declared length, exposing the out-of-bounds read.
Root Cause
The defect is a missing input validation [CWE-20] on a nested Netlink attribute. The middle attribute is assumed to be OVS_KEY_ATTR_NSH of correct length without explicit checks. This pattern produces an out-of-bounds read when the attribute size is shorter than the structure dereferenced by nsh_hdr_from_nlattr().
Attack Vector
An attacker with the CAP_NET_ADMIN capability in a network namespace can craft a malformed OVS_PACKET_CMD_EXECUTE Generic Netlink message containing a push_nsh action with an undersized or wrong-typed middle attribute. When the kernel executes the action, nsh_hdr_from_nlattr() performs a 184-byte memcpy from a buffer that may be smaller, producing the KASAN-reported slab-out-of-bounds read. The read can expose adjacent slab memory or destabilize the kernel.
No verified public exploit code is available. The upstream commit series describes the vulnerability mechanism and corrective validation logic.
Detection Methods for CVE-2025-68785
Indicators of Compromise
- KASAN reports referencing nsh_hdr_from_nlattr, push_nsh, or do_execute_actions in the openvswitch module
- Unexpected kernel oops or BUG: KASAN: slab-out-of-bounds entries in dmesg originating from the Open vSwitch call path
- Unusual genl traffic to the ovs_packet family from unprivileged or unexpected user-space processes
Detection Strategies
- Monitor kernel ring buffer logs for KASAN or general protection fault traces involving openvswitch symbols
- Audit processes invoking sendto() against the NETLINK_GENERIC socket family targeting Open vSwitch commands
- Track loaded kernel version against the patched commits listed in the kernel.org stable tree
Monitoring Recommendations
- Enable CONFIG_KASAN in test and staging kernels to surface the out-of-bounds access during pre-production fuzzing
- Forward /var/log/kern.log and journald kernel facility entries to a centralized log platform for anomaly review
- Alert on repeated Open vSwitch action execution failures or module crashes correlated with namespace-creation activity
How to Mitigate CVE-2025-68785
Immediate Actions Required
- Apply the upstream Linux kernel patches that add type and length checks for the middle Netlink attribute inside push_nsh()
- Restrict CAP_NET_ADMIN to trusted administrators and avoid granting it to container workloads that do not require Open vSwitch control
- Inventory hosts running the openvswitch kernel module and prioritize patching nodes exposed to multi-tenant workloads
Patch Information
The fix is distributed across seven upstream commits in the Linux stable tree. Reference commits include 10ffc558246f, 1b569db9c2f2, 2ecfc4433acd, 3bc2efff20a3, 5ace7ef87f05, c999153bfb2d, and d0c135b8bbbc. The patches add validation to confirm the middle attribute is OVS_KEY_ATTR_NSH and properly sized before further nested processing.
Workarounds
- Unload the openvswitch kernel module on hosts that do not require it: modprobe -r openvswitch
- Block creation of unprivileged user namespaces where Open vSwitch is not required, reducing the surface for CAP_NET_ADMIN acquisition
- Apply seccomp or LSM policies that restrict sendto() to the Open vSwitch Generic Netlink family for untrusted processes
# Configuration example
# Remove the openvswitch module if not in use
sudo modprobe -r openvswitch
# Prevent automatic loading
echo 'blacklist openvswitch' | sudo tee /etc/modprobe.d/blacklist-openvswitch.conf
# Verify kernel version after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
