CVE-2025-68768

NONE EPSS 6.4%
Published Jan 13, 20265mo ago · Modified Jun 19, 20261w ago
Find Similar
Published Jan 13, 2026 5mo ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack.

Threat Intelligence

EPSS Exploit Probability
6.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 4

  • git.kernel.org https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e
  • git.kernel.org https://git.kernel.org/stable/c/22ee4010866da81aeee08e1ea3fddbe418feb212
  • git.kernel.org https://git.kernel.org/stable/c/543555954b1ee8d1903a7020324efb41b0c97428
  • git.kernel.org https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.