CVE-2025-68241
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/12/2025
Last modified:
16/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe<br />
<br />
The sit driver&#39;s packet transmission path calls: sit_tunnel_xmit() -><br />
update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called<br />
to delete entries exceeding FNHE_RECLAIM_DEPTH+random.<br />
<br />
The race window is between fnhe_remove_oldest() selecting fnheX for<br />
deletion and the subsequent kfree_rcu(). During this time, the<br />
concurrent path&#39;s __mkroute_output() -> find_exception() can fetch the<br />
soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a<br />
new dst using a dst_hold(). When the original fnheX is freed via RCU,<br />
the dst reference remains permanently leaked.<br />
<br />
CPU 0 CPU 1<br />
__mkroute_output()<br />
find_exception() [fnheX]<br />
update_or_create_fnhe()<br />
fnhe_remove_oldest() [fnheX]<br />
rt_bind_exception() [bind dst]<br />
RCU callback [fnheX freed, dst leak]<br />
<br />
This issue manifests as a device reference count leak and a warning in<br />
dmesg when unregistering the net device:<br />
<br />
unregister_netdevice: waiting for sitX to become free. Usage count = N<br />
<br />
Ido Schimmel provided the simple test validation method [1].<br />
<br />
The fix clears &#39;oldest->fnhe_daddr&#39; before calling fnhe_flush_routes().<br />
Since rt_bind_exception() checks this field, setting it to zero prevents<br />
the stale fnhe from being reused and bound to a new dst just before it<br />
is freed.<br />
<br />
[1]<br />
ip netns add ns1<br />
ip -n ns1 link set dev lo up<br />
ip -n ns1 address add 192.0.2.1/32 dev lo<br />
ip -n ns1 link add name dummy1 up type dummy<br />
ip -n ns1 route add 192.0.2.2/32 dev dummy1<br />
ip -n ns1 link add name gretap1 up arp off type gretap \<br />
local 192.0.2.1 remote 192.0.2.2<br />
ip -n ns1 route add 198.51.0.0/16 dev gretap1<br />
taskset -c 0 ip netns exec ns1 mausezahn gretap1 \<br />
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &<br />
taskset -c 2 ip netns exec ns1 mausezahn gretap1 \<br />
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &<br />
sleep 10<br />
ip netns pids ns1 | xargs kill<br />
ip netns del ns1
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8
- https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0
- https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1
- https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282
- https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca
- https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40
- https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e
- https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94