Vulnerability-Lookup

MSRC_CVE-2025-68768

Vulnerability from csaf_microsoft - Published: 2026-01-02 00:00 - Updated: 2026-02-18 14:21

Summary

inet: frags: flush pending skbs in fqdir_pre_exit()

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2025-68768 inet: frags: flush pending skbs in fqdir_pre_exit() - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2025-68768.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "inet: frags: flush pending skbs in fqdir_pre_exit()",
    "tracking": {
      "current_release_date": "2026-02-18T14:21:44.000Z",
      "generator": {
        "date": "2026-02-18T14:43:41.767Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2025-68768",
      "initial_release_date": "2026-01-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-01-15T01:03:13.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2026-01-21T01:44:15.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Information published."
        },
        {
          "date": "2026-02-18T14:21:44.000Z",
          "legacy_version": "3",
          "number": "3",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 kernel 6.6.119.3-1",
                "product": {
                  "name": "azl3 kernel 6.6.119.3-1",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 kernel 6.6.119.3-3",
                "product": {
                  "name": "azl3 kernel 6.6.119.3-3",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 kernel 6.6.121.1-1",
                "product": {
                  "name": "azl3 kernel 6.6.121.1-1",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "kernel"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kernel 6.6.119.3-1 as a component of Azure Linux 3.0",
          "product_id": "17084-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kernel 6.6.119.3-3 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kernel 6.6.121.1-1 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-68768",
      "notes": [
        {
          "category": "general",
          "text": "Linux",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_affected": [
          "17084-3",
          "17084-2",
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-68768 inet: frags: flush pending skbs in fqdir_pre_exit() - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2025-68768.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2026-01-15T01:03:13.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-3"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-01-15T01:03:13.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-2"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-01-15T01:03:13.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-1"
          ]
        }
      ],
      "title": "inet: frags: flush pending skbs in fqdir_pre_exit()"
    }
  ]
}

CVE-2025-68768 (GCVE-0-2025-68768)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33

Title

inet: frags: flush pending skbs in fqdir_pre_exit()

Summary

In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c70df25214ac9b32b…
	https://git.kernel.org/stable/c/006a5035b495dec00…

Impacted products

Vendor

Product

Version

Linux

Affected: d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db , < c70df25214ac9b32b53e18e6ae3b8f073ffa6903 (git)
Affected: d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db , < 006a5035b495dec008805df249f92c22c89c3d2e (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/inet_frag.h",
            "include/net/ipv6_frag.h",
            "net/ipv4/inet_fragment.c",
            "net/ipv4/ip_fragment.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c70df25214ac9b32b53e18e6ae3b8f073ffa6903",
              "status": "affected",
              "version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
              "versionType": "git"
            },
            {
              "lessThan": "006a5035b495dec008805df249f92c22c89c3d2e",
              "status": "affected",
              "version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/inet_frag.h",
            "include/net/ipv6_frag.h",
            "net/ipv4/inet_fragment.c",
            "net/ipv4/ip_fragment.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: frags: flush pending skbs in fqdir_pre_exit()\n\nWe have been seeing occasional deadlocks on pernet_ops_rwsem since\nSeptember in NIPA. The stuck task was usually modprobe (often loading\na driver like ipvlan), trying to take the lock as a Writer.\nlockdep does not track readers for rwsems so the read wasn\u0027t obvious\nfrom the reports.\n\nOn closer inspection the Reader holding the lock was conntrack looping\nforever in nf_conntrack_cleanup_net_list(). Based on past experience\nwith occasional NIPA crashes I looked thru the tests which run before\nthe crash and noticed that the crash follows ip_defrag.sh. An immediate\nred flag. Scouring thru (de)fragmentation queues reveals skbs sitting\naround, holding conntrack references.\n\nThe problem is that since conntrack depends on nf_defrag_ipv6,\nnf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its\nnetns exit hooks run _after_ conntrack\u0027s netns exit hook.\n\nFlush all fragment queue SKBs during fqdir_pre_exit() to release\nconntrack references before conntrack cleanup runs. Also flush\nthe queues in timer expiry handlers when they discover fqdir-\u003edead\nis set, in case packet sneaks in while we\u0027re running the pre_exit\nflush.\n\nThe commit under Fixes is not exactly the culprit, but I think\npreviously the timer firing would eventually unblock the spinning\nconntrack."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:33:13.157Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903"
        },
        {
          "url": "https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e"
        }
      ],
      "title": "inet: frags: flush pending skbs in fqdir_pre_exit()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68768",
    "datePublished": "2026-01-13T15:28:47.106Z",
    "dateReserved": "2025-12-24T10:30:51.034Z",
    "dateUpdated": "2026-02-09T08:33:13.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2025-68768

CVE-2025-68768 (GCVE-0-2025-68768)

Tags

Sightings

Nomenclature