CVE-2025-68340

EPSS 0.02%
Veröffentlicht 23.12.2025 13:58:25
Zuletzt bearbeitet 23.12.2025 14:51:52
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

team: Move team device type change at the end of team_port_add

Attempting to add a port device that is already up will expectedly fail,
but not before modifying the team device header_ops.

In the case of the syzbot reproducer the gre0 device is
already in state UP when it attempts to add it as a
port device of team0, this fails but before that
header_ops->create of team0 is changed from eth_header to ipgre_header
in the call to team_dev_type_check_change.

Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense
as the private data of the device still holds a struct team.

Example sequence of iproute2 commands to reproduce the hang/BUG():
ip link add dev team0 type team
ip link add dev gre0 type gre
ip link set dev gre0 up
ip link set dev gre0 master team0
ip link set dev team0 up
ping -I team0 1.1.1.1

Move team_dev_type_check_change down where all other checks have passed
as it changes the dev type with no way to restore it in case
one of the checks that follow it fail.

Also make sure to preserve the origial mtu assignment:
  - If port_dev is not the same type as dev, dev takes mtu from port_dev
  - If port_dev is the same type as dev, port_dev takes mtu from dev

This is done by adding a conditional before the call to dev_set_mtu
to prevent it from assigning port_dev->mtu = dev->mtu and instead
letting team_dev_type_check_change assign dev->mtu = port_dev->mtu.
The conditional is needed because the patch moves the call to
team_dev_type_check_change past dev_set_mtu.

Testing:
  - team device driver in-tree selftests
  - Add/remove various devices as slaves of team device
  - syzbot

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < 4040b5e8963982a00aa821300cb746efc9f2947e

Version 1d76efe1577b4323609b1bcbfafa8b731eda071a

Status affected

Version < e3eed4f038214494af62c7d2d64749e5108ce6ca

Version 1d76efe1577b4323609b1bcbfafa8b731eda071a

Status affected

Version < 0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef

Version 1d76efe1577b4323609b1bcbfafa8b731eda071a

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 3.7

Status affected

Version < 3.7

Version 0

Status unaffected

Version <= 6.12.*

Version 6.12.61

Status unaffected

Version <= 6.17.*

Version 6.17.11

Status unaffected

Version <= *

Version 6.18

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.058

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e

https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca

https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef

https://nvd.nist.gov/vuln/detail/CVE-2025-68340

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68340

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68340

EUVD