CVE-2025-68813 Overview
A null pointer dereference vulnerability has been identified in the Linux kernel's IP Virtual Server (IPVS) subsystem. The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is properly set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages.
Critical Impact
This vulnerability can cause kernel crashes (denial of service) when IPVS processes packets in NAT mode with misconfigured destinations, potentially affecting load balancer availability and high-availability infrastructure.
Affected Products
- Linux kernel versions with IPVS/LVS subsystem enabled
- Linux kernel configurations using NAT mode load balancing
- Systems running affected kernel versions with netfilter IPVS modules loaded
Discovery Timeline
- January 13, 2026 - CVE CVE-2025-68813 published to NVD
- January 13, 2026 - Last updated in NVD database
Technical Details for CVE-2025-68813
Vulnerability Analysis
This vulnerability represents a regression introduced after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") which began calling __ip_options_compile() from ipv4_link_failure(). While a previous fix attempt in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure") addressed the immediate dev_net(skb->dev) dereference by using a fallback device, it was incomplete. The fib_compute_spec_dst() function later in the call chain still directly accesses skb->dev, which remains NULL when IPVS calls dst_link_failure().
The KASAN report indicates the null pointer dereference occurs at memory range [0x0000000000000328-0x000000000000032f] within the __in_dev_get_rcu inline function, specifically during the fib_compute_spec_dst() call in net/ipv4/fib_frontend.c.
Root Cause
The root cause is an incomplete fix for a previous null pointer dereference issue. When IPVS processes a packet in NAT mode and route lookup fails in __ip_vs_get_out_rt() before establishing a route, the error path calls dst_link_failure(skb) with skb->dev set to NULL. The subsequent call chain through ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() results in a null pointer dereference when fib_compute_spec_dst() attempts to access the unset skb->dev field.
Attack Vector
The vulnerability is triggered through the following execution path:
- IPVS receives and processes a packet in NAT mode with a misconfigured destination
- Route lookup fails in __ip_vs_get_out_rt() before establishing a route
- The error path calls dst_link_failure(skb) with skb->dev == NULL
- ipv4_link_failure() is invoked to send ICMP destination unreachable
- The call chain proceeds through ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst()
- fib_compute_spec_dst() dereferences the NULL skb->dev pointer, causing a kernel panic
The full call trace from the KASAN report shows the crash path:
- __ip_vs_get_out_rt+0x15fd/0x19e0 in net/netfilter/ipvs/ip_vs_xmit.c:412
- ip_vs_nat_xmit+0x1d8/0xc80 in net/netfilter/ipvs/ip_vs_xmit.c:764
Detection Methods for CVE-2025-68813
Indicators of Compromise
- Kernel panic or crash events with fib_compute_spec_dst or __in_dev_get_rcu in the stack trace
- KASAN reports indicating null pointer dereference in the IPVS/netfilter code paths
- System instability or unexpected reboots on IPVS/LVS load balancer systems
- Kernel log entries showing null pointer dereference in net/ipv4/fib_frontend.c
Detection Strategies
- Monitor kernel logs for KASAN null-ptr-deref reports involving fib_compute_spec_dst() or IPVS functions
- Implement system monitoring for unexpected kernel panics on systems running IPVS in NAT mode
- Review dmesg output for call traces involving __ip_vs_get_out_rt and ipv4_link_failure
- Deploy endpoint detection to alert on kernel crash events with specific function signatures
Monitoring Recommendations
- Enable KASAN (Kernel Address Sanitizer) on test systems to detect the vulnerability before production impact
- Monitor system uptime and kernel crash counters on IPVS-enabled load balancers
- Set up alerts for IPVS misconfiguration errors that could trigger the vulnerable code path
- Review routing configuration to ensure destination routes are properly configured
How to Mitigate CVE-2025-68813
Immediate Actions Required
- Apply the kernel patches from the stable kernel tree immediately on affected IPVS systems
- Review IPVS NAT mode configurations to ensure destination routes are properly established
- Consider temporarily switching to direct routing (DR) mode if NAT mode is not strictly required
- Implement redundancy for load balancer infrastructure to maintain availability during patching
Patch Information
The fix applies the same approach used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): setting skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). Multiple patch commits have been released to the stable kernel tree:
- Linux Kernel Commit Update 1
- Linux Kernel Commit Update 2
- Linux Kernel Commit Update 3
- Linux Kernel Commit Update 4
- Linux Kernel Commit Update 5
Workarounds
- Audit IPVS virtual server configurations to ensure all destination real servers have valid, reachable routes
- If using NAT mode, verify that the IPVS director has proper routing tables configured for all backend servers
- Consider using IPVS direct routing (DR) mode or tunneling (TUN) mode as alternatives that may not trigger the vulnerable code path
- Implement network monitoring to detect and alert on routing failures before they reach the vulnerable code path
# Check current IPVS configuration and routing
ipvsadm -Ln
ip route show
# Verify routes to backend servers are properly configured
# Replace <backend_ip> with actual backend server IPs
ip route get <backend_ip>
# Monitor kernel logs for related errors
dmesg | grep -i "ipvs\|fib_compute\|link_failure"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
