CVE-2025-68795 Overview
A buffer overflow vulnerability has been identified in the Linux kernel's ethtool subsystem, specifically in the handling of network statistics queries. The vulnerability exists in the ethtool -S command implementation, which operates across three separate ioctl calls: ETHTOOL_GSSET_INFO for size information, ETHTOOL_GSTRINGS for stat names, and ETHTOOL_GSTATS for the actual values.
The core issue arises when the number of statistics changes between these ioctl calls, such as during device reconfiguration. This race condition can cause userspace buffer allocations to become incorrectly sized, potentially leading to a buffer overflow condition when writing statistics data.
Critical Impact
Race condition in Linux kernel ethtool stats query can lead to userspace buffer overflow when device statistics count changes between ioctl calls, potentially causing memory corruption or system instability.
Affected Products
- Linux kernel (versions using affected ethtool implementation)
- Systems using network drivers with dynamic counters (mlx5, bnx2x, bna, ksz884x)
- Linux-based network appliances and servers
Discovery Timeline
- 2026-01-13 - CVE-2025-68795 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68795
Vulnerability Analysis
The vulnerability stems from a fundamental race condition in the ethtool statistics query mechanism. The ethtool -S command requires three separate ioctl calls to retrieve network statistics. First, ETHTOOL_GSSET_INFO is called to determine the size of the statistics buffer. Next, ETHTOOL_GSTRINGS retrieves the names of each statistic. Finally, ETHTOOL_GSTATS fetches the actual values.
Between these calls, the RTNL lock is released, creating a window where the device configuration can change. If a device reconfiguration occurs during this window and the number of available statistics changes, the buffer allocated by userspace based on the initial size query will be incorrectly sized.
Several network drivers use dynamic stat counters, including mlx5, bnx2x, bna, and ksz884x. While some drivers like bnad_get_ethtool_stats() and the micrel/ksz884x driver attempt to handle this internally by checking stats.n_stats, these implementations still use the value returned from get_sset_count(), which doesn't prevent the overflow scenario.
Root Cause
The root cause is a Time-of-Check Time-of-Use (TOCTOU) race condition in the ethtool statistics query implementation. The buffer size is determined at one point in time, but the actual data is written at a later point when the underlying data structure may have changed. The RTNL lock protects individual ioctl calls but is released between them, allowing device reconfiguration to occur.
Attack Vector
The attack vector for this vulnerability involves exploiting the timing window between ethtool ioctl calls. An attacker with the ability to trigger device reconfiguration (either through legitimate administrative access or another vulnerability) could potentially cause a buffer overflow by:
- Initiating an ethtool statistics query from userspace
- Triggering a device reconfiguration that increases the number of statistics during the race window
- The kernel then writes more data than the userspace buffer can accommodate
The patch addresses this by modifying ethtool_get_strings(), ethtool_get_stats(), and ethtool_get_phy_stats() to detect mismatches between userspace's expected size and the current get_sset_size() value. When a mismatch is detected, the functions return without writing any data and set n_stats to zero, preventing the buffer overflow.
Detection Methods for CVE-2025-68795
Indicators of Compromise
- Unexpected kernel crashes or panics related to network driver operations
- Memory corruption errors in kernel logs following ethtool statistics queries
- System instability during network interface reconfiguration
- Unusual behavior from ethtool commands returning empty or zeroed statistics
Detection Strategies
- Monitor kernel logs for buffer overflow warnings or memory corruption indicators in network subsystems
- Implement system call auditing to track ethtool ioctl patterns that may indicate exploitation attempts
- Deploy kernel runtime protection mechanisms that detect out-of-bounds memory access
- Use SentinelOne's Singularity platform for real-time kernel-level threat detection
Monitoring Recommendations
- Enable kernel audit logging for network-related system calls
- Monitor for unusual patterns of ethtool usage, especially rapid successive calls
- Track device reconfiguration events that coincide with ethtool statistics queries
- Implement alerting on kernel oops or panic events related to network drivers
How to Mitigate CVE-2025-68795
Immediate Actions Required
- Apply the latest Linux kernel patches that include the ethtool overflow fix
- Review and update systems running affected network drivers (mlx5, bnx2x, bna, ksz884x)
- Limit administrative access to network interface configuration
- Monitor systems for signs of exploitation while patches are being deployed
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix modifies ethtool_get_strings(), ethtool_get_stats(), and ethtool_get_phy_stats() to detect and handle size mismatches safely. When a mismatch between userspace's expected size and the current get_sset_size() value is detected, the functions return with n_stats set to zero rather than potentially overflowing the buffer.
The patches are available through the following commits:
- Linux Kernel Commit 4066b5b
- Linux Kernel Commit 4afcb98
- Linux Kernel Commit 7b07be1
- Linux Kernel Commit 7bea09f
- Linux Kernel Commit ca9983b
Workarounds
- Avoid running ethtool -S during periods of active network interface reconfiguration
- Implement rate limiting on network device reconfiguration operations
- Use dedicated monitoring systems that aggregate statistics through alternative kernel interfaces
- Consider temporary restriction of ethtool access to essential administrative tasks only
# Verify kernel version includes the fix
uname -r
# Check for available kernel updates
apt list --upgradable 2>/dev/null | grep linux-image
# or for RHEL/CentOS:
yum check-update kernel
# Apply kernel updates
apt update && apt upgrade linux-image-*
# or for RHEL/CentOS:
yum update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
