{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-68241","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-16T13:41:40.263Z","datePublished":"2025-12-16T14:21:18.682Z","dateUpdated":"2026-05-11T21:49:33.814Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:49:33.814Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe\n\nThe sit driver's packet transmission path calls: sit_tunnel_xmit() ->\nupdate_or_create_fnhe(), which lead to fnhe_remove_oldest() being called\nto delete entries exceeding FNHE_RECLAIM_DEPTH+random.\n\nThe race window is between fnhe_remove_oldest() selecting fnheX for\ndeletion and the subsequent kfree_rcu(). During this time, the\nconcurrent path's __mkroute_output() -> find_exception() can fetch the\nsoon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a\nnew dst using a dst_hold(). When the original fnheX is freed via RCU,\nthe dst reference remains permanently leaked.\n\nCPU 0                             CPU 1\n__mkroute_output()\n  find_exception() [fnheX]\n                                  update_or_create_fnhe()\n                                    fnhe_remove_oldest() [fnheX]\n  rt_bind_exception() [bind dst]\n                                  RCU callback [fnheX freed, dst leak]\n\nThis issue manifests as a device reference count leak and a warning in\ndmesg when unregistering the net device:\n\n  unregister_netdevice: waiting for sitX to become free. Usage count = N\n\nIdo Schimmel provided the simple test validation method [1].\n\nThe fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().\nSince rt_bind_exception() checks this field, setting it to zero prevents\nthe stale fnhe from being reused and bound to a new dst just before it\nis freed.\n\n[1]\nip netns add ns1\nip -n ns1 link set dev lo up\nip -n ns1 address add 192.0.2.1/32 dev lo\nip -n ns1 link add name dummy1 up type dummy\nip -n ns1 route add 192.0.2.2/32 dev dummy1\nip -n ns1 link add name gretap1 up arp off type gretap \\\n    local 192.0.2.1 remote 192.0.2.2\nip -n ns1 route add 198.51.0.0/16 dev gretap1\ntaskset -c 0 ip netns exec ns1 mausezahn gretap1 \\\n    -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &\ntaskset -c 2 ip netns exec ns1 mausezahn gretap1 \\\n    -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &\nsleep 10\nip netns pids ns1 | xargs kill\nip netns del ns1"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/route.c"],"versions":[{"version":"e46e23c289f62ccd8e2230d9ce652072d777ff30","lessThan":"69d35c12168f9c59b159ae566f77dfad9f96d7ca","status":"affected","versionType":"git"},{"version":"5867e20e1808acd0c832ddea2587e5ee49813874","lessThan":"4b7210da22429765d19460d38c30eeca72656282","status":"affected","versionType":"git"},{"version":"67d6d681e15b578c1725bad8ad079e05d1c48a8e","lessThan":"298f1e0694ab4edb6092d66efed93c4554e6ced1","status":"affected","versionType":"git"},{"version":"67d6d681e15b578c1725bad8ad079e05d1c48a8e","lessThan":"b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94","status":"affected","versionType":"git"},{"version":"67d6d681e15b578c1725bad8ad079e05d1c48a8e","lessThan":"041ab9ca6e80d8f792bb69df28ebf1ef39c06af8","status":"affected","versionType":"git"},{"version":"67d6d681e15b578c1725bad8ad079e05d1c48a8e","lessThan":"b84f083f50ecc736a95091691339a1b363962f0e","status":"affected","versionType":"git"},{"version":"67d6d681e15b578c1725bad8ad079e05d1c48a8e","lessThan":"0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0","status":"affected","versionType":"git"},{"version":"67d6d681e15b578c1725bad8ad079e05d1c48a8e","lessThan":"ac1499fcd40fe06479e9b933347b837ccabc2a40","status":"affected","versionType":"git"},{"version":"bed8941fbdb72a61f6348c4deb0db69c4de87aca","status":"affected","versionType":"git"},{"version":"f10ce783bcc4d8ea454563a7d56ae781640e7dcb","status":"affected","versionType":"git"},{"version":"f484595be6b7ef9d095a32becabb5dae8204fb2a","status":"affected","versionType":"git"},{"version":"3e6bd2b583f18da9856fc9741ffa200a74a52cba","status":"affected","versionType":"git"},{"version":"5ae06218331f39ec45b5d039aa7cb3ddd4bb8008","status":"affected","versionType":"git"},{"version":"4589a12dcf80af31137ef202be1ff4a321707a73","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/route.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"5.4.302","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.247","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.197","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.59","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.9","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.146","versionEndExcluding":"5.4.302"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.65","versionEndExcluding":"5.10.247"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.15.197"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.12.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.17.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.284"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.283"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.247"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.207"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca"},{"url":"https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282"},{"url":"https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1"},{"url":"https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94"},{"url":"https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8"},{"url":"https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e"},{"url":"https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0"},{"url":"https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40"}],"title":"ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe","x_generator":{"engine":"bippy-1.2.0"}}}}