Home

Description

In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1

PUBLISHED Reserved 2025-12-16 | Published 2025-12-16 | Updated 2025-12-16 | Assigner Linux

Product status

Default status
unaffected

e46e23c289f62ccd8e2230d9ce652072d777ff30 (git) before 69d35c12168f9c59b159ae566f77dfad9f96d7ca
affected

5867e20e1808acd0c832ddea2587e5ee49813874 (git) before 4b7210da22429765d19460d38c30eeca72656282
affected

67d6d681e15b578c1725bad8ad079e05d1c48a8e (git) before 298f1e0694ab4edb6092d66efed93c4554e6ced1
affected

67d6d681e15b578c1725bad8ad079e05d1c48a8e (git) before b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94
affected

67d6d681e15b578c1725bad8ad079e05d1c48a8e (git) before 041ab9ca6e80d8f792bb69df28ebf1ef39c06af8
affected

67d6d681e15b578c1725bad8ad079e05d1c48a8e (git) before b84f083f50ecc736a95091691339a1b363962f0e
affected

67d6d681e15b578c1725bad8ad079e05d1c48a8e (git) before 0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0
affected

67d6d681e15b578c1725bad8ad079e05d1c48a8e (git) before ac1499fcd40fe06479e9b933347b837ccabc2a40
affected

bed8941fbdb72a61f6348c4deb0db69c4de87aca (git)
affected

f10ce783bcc4d8ea454563a7d56ae781640e7dcb (git)
affected

f484595be6b7ef9d095a32becabb5dae8204fb2a (git)
affected

3e6bd2b583f18da9856fc9741ffa200a74a52cba (git)
affected

5ae06218331f39ec45b5d039aa7cb3ddd4bb8008 (git)
affected

4589a12dcf80af31137ef202be1ff4a321707a73 (git)
affected

Default status
affected

5.15
affected

Any version before 5.15
unaffected

5.4.302 (semver)
unaffected

5.10.247 (semver)
unaffected

5.15.197 (semver)
unaffected

6.1.159 (semver)
unaffected

6.6.117 (semver)
unaffected

6.12.59 (semver)
unaffected

6.17.9 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/69d35c12168f9c59b159ae566f77dfad9f96d7ca

git.kernel.org/...c/4b7210da22429765d19460d38c30eeca72656282

git.kernel.org/...c/298f1e0694ab4edb6092d66efed93c4554e6ced1

git.kernel.org/...c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94

git.kernel.org/...c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8

git.kernel.org/...c/b84f083f50ecc736a95091691339a1b363962f0e

git.kernel.org/...c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0

git.kernel.org/...c/ac1499fcd40fe06479e9b933347b837ccabc2a40

cve.org (CVE-2025-68241)

nvd.nist.gov (CVE-2025-68241)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.