-

CVE-2025-68241

In the Linux kernel, the following vulnerability has been resolved:

ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe

The sit driver's packet transmission path calls: sit_tunnel_xmit() ->
update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called
to delete entries exceeding FNHE_RECLAIM_DEPTH+random.

The race window is between fnhe_remove_oldest() selecting fnheX for
deletion and the subsequent kfree_rcu(). During this time, the
concurrent path's __mkroute_output() -> find_exception() can fetch the
soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a
new dst using a dst_hold(). When the original fnheX is freed via RCU,
the dst reference remains permanently leaked.

CPU 0                             CPU 1
__mkroute_output()
  find_exception() [fnheX]
                                  update_or_create_fnhe()
                                    fnhe_remove_oldest() [fnheX]
  rt_bind_exception() [bind dst]
                                  RCU callback [fnheX freed, dst leak]

This issue manifests as a device reference count leak and a warning in
dmesg when unregistering the net device:

  unregister_netdevice: waiting for sitX to become free. Usage count = N

Ido Schimmel provided the simple test validation method [1].

The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().
Since rt_bind_exception() checks this field, setting it to zero prevents
the stale fnhe from being reused and bound to a new dst just before it
is freed.

[1]
ip netns add ns1
ip -n ns1 link set dev lo up
ip -n ns1 address add 192.0.2.1/32 dev lo
ip -n ns1 link add name dummy1 up type dummy
ip -n ns1 route add 192.0.2.2/32 dev dummy1
ip -n ns1 link add name gretap1 up arp off type gretap \
    local 192.0.2.1 remote 192.0.2.2
ip -n ns1 route add 198.51.0.0/16 dev gretap1
taskset -c 0 ip netns exec ns1 mausezahn gretap1 \
    -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
taskset -c 2 ip netns exec ns1 mausezahn gretap1 \
    -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
sleep 10
ip netns pids ns1 | xargs kill
ip netns del ns1
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < 69d35c12168f9c59b159ae566f77dfad9f96d7ca
Version e46e23c289f62ccd8e2230d9ce652072d777ff30
Status affected
Version < 4b7210da22429765d19460d38c30eeca72656282
Version 5867e20e1808acd0c832ddea2587e5ee49813874
Status affected
Version < 298f1e0694ab4edb6092d66efed93c4554e6ced1
Version 67d6d681e15b578c1725bad8ad079e05d1c48a8e
Status affected
Version < b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94
Version 67d6d681e15b578c1725bad8ad079e05d1c48a8e
Status affected
Version < 041ab9ca6e80d8f792bb69df28ebf1ef39c06af8
Version 67d6d681e15b578c1725bad8ad079e05d1c48a8e
Status affected
Version < b84f083f50ecc736a95091691339a1b363962f0e
Version 67d6d681e15b578c1725bad8ad079e05d1c48a8e
Status affected
Version < 0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0
Version 67d6d681e15b578c1725bad8ad079e05d1c48a8e
Status affected
Version < ac1499fcd40fe06479e9b933347b837ccabc2a40
Version 67d6d681e15b578c1725bad8ad079e05d1c48a8e
Status affected
Version bed8941fbdb72a61f6348c4deb0db69c4de87aca
Status affected
Version f10ce783bcc4d8ea454563a7d56ae781640e7dcb
Status affected
Version f484595be6b7ef9d095a32becabb5dae8204fb2a
Status affected
Version 3e6bd2b583f18da9856fc9741ffa200a74a52cba
Status affected
Version 5ae06218331f39ec45b5d039aa7cb3ddd4bb8008
Status affected
Version 4589a12dcf80af31137ef202be1ff4a321707a73
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.15
Status affected
Version < 5.15
Version 0
Status unaffected
Version <= 5.4.*
Version 5.4.302
Status unaffected
Version <= 5.10.*
Version 5.10.247
Status unaffected
Version <= 5.15.*
Version 5.15.197
Status unaffected
Version <= 6.1.*
Version 6.1.159
Status unaffected
Version <= 6.6.*
Version 6.6.117
Status unaffected
Version <= 6.12.*
Version 6.12.59
Status unaffected
Version <= 6.17.*
Version 6.17.9
Status unaffected
Version <= *
Version 6.18
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.06% 0.191
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.