Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68787

CVE-2025-68787: Linux Kernel Memory Leak Vulnerability

CVE-2025-68787 is a memory leak flaw in the Linux kernel's netrom module that occurs when nr_sendmsg() fails to free allocated memory. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-68787 Overview

CVE-2025-68787 is a memory leak vulnerability in the Linux kernel's NET/ROM (netrom) protocol implementation. The flaw resides in the nr_sendmsg() function in net/netrom/af_netrom.c. When sock_alloc_send_skb() returns NULL inside nr_output(), the original socket buffer (skb) allocated by nr_sendmsg() is not freed. The leak was reported by syzbot via kernel memory leak detection (kmemleak). Repeated triggering of the code path exhausts kernel slab memory over time. The maintainers resolved the issue by freeing the skb before returning on the error path.

Critical Impact

Local users able to invoke the netrom socket family can exhaust kernel memory through repeated sendmsg() failures, leading to denial of service on affected Linux systems.

Affected Products

  • Linux kernel branches containing the netrom (NET/ROM) protocol implementation in net/netrom/af_netrom.c
  • Distributions shipping vulnerable kernel versions prior to the upstream stable fixes
  • Systems with the netrom kernel module loadable or enabled

Discovery Timeline

  • 2026-01-13 - CVE-2025-68787 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-68787

Vulnerability Analysis

The vulnerability is a kernel-mode memory leak in the NET/ROM amateur radio protocol stack. User space invokes sendmsg() on an AF_NETROM socket, which routes through nr_sendmsg() in net/netrom/af_netrom.c. That function allocates an skb via sock_alloc_send_skb() and passes it to nr_output() for transmission. Inside nr_output(), additional allocations occur through sock_alloc_send_pskb() and alloc_skb_with_frags(). When these inner allocations fail and return NULL, the function exits without releasing the originally allocated skb. The kmemleak subsystem traces the orphaned 240-byte slab allocation back to __alloc_skb and the nr_sendmsg call site, confirming the lost reference.

Root Cause

The root cause is missing cleanup on an error path. The fix frees the skb before returning from the failure branch, ensuring allocation and release are balanced regardless of the outcome of downstream allocations.

Attack Vector

A local unprivileged user with the ability to create AF_NETROM sockets can repeatedly call sendmsg() under memory pressure to force sock_alloc_send_skb() failures. Each failure leaks one skb allocation in kernel slab memory. Sustained exploitation degrades system stability and may trigger out-of-memory conditions. The vulnerability is not remotely reachable absent attacker-controlled local code execution.

No public exploit code is available. The vulnerability is described in prose because no verified proof-of-concept beyond the syzbot kmemleak report has been published. See the Linux Kernel Commit for the canonical fix.

Detection Methods for CVE-2025-68787

Indicators of Compromise

  • Kernel kmemleak reports referencing nr_sendmsg+0x287/0x450 in net/netrom/af_netrom.c and __alloc_skb allocation stacks
  • Gradual growth of kmalloc-256 or related slab caches without proportional active connections
  • Unexpected loading of the netrom kernel module on systems that do not use amateur radio networking

Detection Strategies

  • Enable CONFIG_DEBUG_KMEMLEAK on test kernels and scan for unreferenced allocations rooted in af_netrom.c
  • Audit running kernels against the patch hashes 613d12dd794e, 09efbf54eeae, 156a0f6341dc, 51f5fbc1681b, 73839497bbde, 8d1ccba4b171, and f77e538ac4e3 from git.kernel.org
  • Monitor /proc/slabinfo for sustained growth in skbuff_head_cache correlated with netrom socket activity

Monitoring Recommendations

  • Log creation of AF_NETROM sockets via auditd rules targeting the socket syscall with family AF_NETROM (value 6)
  • Alert on kernel Out of memory and slab-related dmesg entries on hosts where netrom is loaded
  • Track loaded kernel modules and flag netrom on servers and workstations that have no operational need for it

How to Mitigate CVE-2025-68787

Immediate Actions Required

  • Apply the upstream Linux kernel patch from the relevant stable branch as published by git.kernel.org
  • Blacklist the netrom module on systems that do not require NET/ROM amateur radio support
  • Restrict creation of raw and exotic socket families by enforcing CAP_NET_RAW policy and seccomp filters for untrusted workloads

Patch Information

The vulnerability is fixed across multiple Linux stable branches. Refer to the upstream commits: 09efbf54eeae, 156a0f6341dc, 51f5fbc1681b, 613d12dd794e, 73839497bbde, 8d1ccba4b171, and f77e538ac4e3. Apply the fix corresponding to your kernel branch and rebuild or upgrade to a distribution kernel that incorporates these commits.

Workarounds

  • Prevent automatic loading of the netrom module by adding install netrom /bin/true to /etc/modprobe.d/netrom.conf
  • Use seccomp or AppArmor policies to deny socket(AF_NETROM, ...) calls from untrusted processes
  • Apply cgroup memory limits to constrain blast radius on multi-tenant hosts until a patched kernel is deployed
bash
# Configuration example: disable the netrom kernel module
echo "install netrom /bin/true" | sudo tee /etc/modprobe.d/netrom.conf
sudo rmmod netrom 2>/dev/null || true
lsmod | grep netrom

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.