lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2026011312-CVE-2025-68813-13a5@gregkh>
Date: Tue, 13 Jan 2026 16:29:39 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

ipvs: fix ipv4 null-ptr-deref in route error path

The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.

The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().

The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
   __ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev

Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().

KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
  <TASK>
  spec_dst_fill net/ipv4/ip_options.c:232
  spec_dst_fill net/ipv4/ip_options.c:229
  __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
  ipv4_send_dest_unreach net/ipv4/route.c:1252
  ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
  dst_link_failure include/net/dst.h:437
  __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
  ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764

The Linux kernel CVE team has assigned CVE-2025-68813 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.1 with commit ed0de45a1008991fdaa27a0152befcb74d126a8b and fixed in 6.1.160 with commit cdeff10851c37a002d87a035818ebd60fdb74447
	Issue introduced in 5.1 with commit ed0de45a1008991fdaa27a0152befcb74d126a8b and fixed in 6.6.120 with commit 4729ff0581fbb7ad098b6153b76b6f5aac94618a
	Issue introduced in 5.1 with commit ed0de45a1008991fdaa27a0152befcb74d126a8b and fixed in 6.12.64 with commit 25ab24df31f7af843c96a38e0781b9165216e1a8
	Issue introduced in 5.1 with commit ed0de45a1008991fdaa27a0152befcb74d126a8b and fixed in 6.18.3 with commit 689a627d14788ad772e0fa24c2e57a23dbc7ce90
	Issue introduced in 5.1 with commit ed0de45a1008991fdaa27a0152befcb74d126a8b and fixed in 6.19-rc2 with commit ad891bb3d079a46a821bf2b8867854645191bab0
	Issue introduced in 3.18.139 with commit 6c2fa855d8178699706b1192db2f1f8102b0ba1e
	Issue introduced in 4.4.179 with commit fbf569d2beee2a4a7a0bc8b619c26101d1211a88
	Issue introduced in 4.9.171 with commit ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38
	Issue introduced in 4.14.114 with commit 3d988fcddbe7b8673a231958bd2fba61b5a7ced9
	Issue introduced in 4.19.37 with commit 8a430e56a6485267a1b2d3747209d26c54d1a34b
	Issue introduced in 5.0.10 with commit 6bd1ee0a993fc9574ae43c1994c54a60cb23a380

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-68813
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/netfilter/ipvs/ip_vs_xmit.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447
	https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a
	https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8
	https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90
	https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ