VOOZH about

URL: https://nvd.nist.gov/vuln/detail/CVE-2025-68768

⇱ NVD - CVE-2025-68768

  1. Vulnerabilities

CVE-2025-68768 Detail

Not Scheduled

This CVE record is not being prioritized for NVD enrichment efforts due to resource or other concerns.

Description

In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e kernel.org
https://git.kernel.org/stable/c/22ee4010866da81aeee08e1ea3fddbe418feb212 kernel.org
https://git.kernel.org/stable/c/543555954b1ee8d1903a7020324efb41b0c97428 kernel.org
https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903 kernel.org

Weakness Enumeration

CWE-ID CWE Name Source

Change History

4 change records found show changes

CVE Modified by kernel.org 6/19/2026 9:16:24 AM

Action Type Old Value New Value
Added Reference 
https://git.kernel.org/stable/c/22ee4010866da81aeee08e1ea3fddbe418feb212
Changed Affected 
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/inet_frag.h","include/net/ipv6_frag.h","net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"543555954b1ee8d1903a7020324efb41b0c97428","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"c70df25214ac9b32b53e18e6ae3b8f073ffa6903","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"006a5035b495dec008805df249f92c22c89c3d2e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/inet_frag.h","include/net/ipv6_frag.h","net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","versionType":"semver","status":"unaffected"},{"version":"6.12.93","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.3","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]


 
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/inet_frag.h","include/net/ipv6_frag.h","net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"22ee4010866da81aeee08e1ea3fddbe418feb212","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"543555954b1ee8d1903a7020324efb41b0c97428","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"c70df25214ac9b32b53e18e6ae3b8f073ffa6903","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"006a5035b495dec008805df249f92c22c89c3d2e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/inet_frag.h","include/net/ipv6_frag.h","net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.93","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.3","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

CVE Modified by kernel.org 6/17/2026 5:59:33 AM

Action Type Old Value New Value
Added Affected 
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/inet_frag.h","include/net/ipv6_frag.h","net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"543555954b1ee8d1903a7020324efb41b0c97428","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"c70df25214ac9b32b53e18e6ae3b8f073ffa6903","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"006a5035b495dec008805df249f92c22c89c3d2e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/inet_frag.h","include/net/ipv6_frag.h","net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","versionType":"semver","status":"unaffected"},{"version":"6.12.93","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.3","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

CVE Modified by kernel.org 6/09/2026 7:16:46 AM

Action Type Old Value New Value
Added Reference 
https://git.kernel.org/stable/c/543555954b1ee8d1903a7020324efb41b0c97428

New CVE Received from kernel.org 1/13/2026 11:15:56 AM

Action Type Old Value New Value
Added Description 
In the Linux kernel, the following vulnerability has been resolved:

inet: frags: flush pending skbs in fqdir_pre_exit()

We have been seeing occasional deadlocks on pernet_ops_rwsem since
September in NIPA. The stuck task was usually modprobe (often loading
a driver like ipvlan), trying to take the lock as a Writer.
lockdep does not track readers for rwsems so the read wasn't obvious
from the reports.

On closer inspection the Reader holding the lock was conntrack looping
forever in nf_conntrack_cleanup_net_list(). Based on past experience
with occasional NIPA crashes I looked thru the tests which run before
the crash and noticed that the crash follows ip_defrag.sh. An immediate
red flag. Scouring thru (de)fragmentation queues reveals skbs sitting
around, holding conntrack references.

The problem is that since conntrack depends on nf_defrag_ipv6,
nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its
netns exit hooks run _after_ conntrack's netns exit hook.

Flush all fragment queue SKBs during fqdir_pre_exit() to release
conntrack references before conntrack cleanup runs. Also flush
the queues in timer expiry handlers when they discover fqdir->dead
is set, in case packet sneaks in while we're running the pre_exit
flush.

The commit under Fixes is not exactly the culprit, but I think
previously the timer firing would eventually unblock the spinning
conntrack.
Added Reference 
https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e
Added Reference 
https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903

Quick Info

CVE Dictionary Entry:
CVE-2025-68768
NVD Published Date:
01/13/2026
NVD Last Modified:
06/19/2026
Source:
kernel.org