{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-68341","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-16T14:48:05.298Z","datePublished":"2025-12-23T13:58:26.749Z","dateUpdated":"2026-05-11T21:51:19.293Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:51:19.293Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nveth: reduce XDP no_direct return section to fix race\n\nAs explain in commit fa349e396e48 (\"veth: Fix race with AF_XDP exposing\nold or uninitialized descriptors\") for veth there is a chance after\nnapi_complete_done() that another CPU can manage start another NAPI\ninstance running veth_pool(). For NAPI this is correctly handled as the\nnapi_schedule_prep() check will prevent multiple instances from getting\nscheduled, but for the remaining code in veth_pool() this can run\nconcurrent with the newly started NAPI instance.\n\nThe problem/race is that xdp_clear_return_frame_no_direct() isn't\ndesigned to be nested.\n\nPrior to commit 401cb7dae813 (\"net: Reference bpf_redirect_info via\ntask_struct on PREEMPT_RT.\") the temporary BPF net context\nbpf_redirect_info was stored per CPU, where this wasn't an issue. Since\nthis commit the BPF context is stored in 'current' task_struct. When\nrunning veth in threaded-NAPI mode, then the kthread becomes the storage\narea. Now a race exists between two concurrent veth_pool() function calls\none exiting NAPI and one running new NAPI, both using the same BPF net\ncontext.\n\nRace is when another CPU gets within the xdp_set_return_frame_no_direct()\nsection before exiting veth_pool() calls the clear-function\nxdp_clear_return_frame_no_direct()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/veth.c"],"versions":[{"version":"401cb7dae8130fd34eb84648e02ab4c506df7d5e","lessThan":"c1ceabcb347d1b0f7e70a7384ec7eff3847b7628","status":"affected","versionType":"git"},{"version":"401cb7dae8130fd34eb84648e02ab4c506df7d5e","lessThan":"d0bd018ad72a8a598ae709588934135017f8af52","status":"affected","versionType":"git"},{"version":"401cb7dae8130fd34eb84648e02ab4c506df7d5e","lessThan":"a14602fcae17a3f1cb8a8521bedf31728f9e7e39","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/veth.c"],"versions":[{"version":"6.11","status":"affected"},{"version":"0","lessThan":"6.11","status":"unaffected","versionType":"semver"},{"version":"6.12.61","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.11","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.12.61"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.17.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c1ceabcb347d1b0f7e70a7384ec7eff3847b7628"},{"url":"https://git.kernel.org/stable/c/d0bd018ad72a8a598ae709588934135017f8af52"},{"url":"https://git.kernel.org/stable/c/a14602fcae17a3f1cb8a8521bedf31728f9e7e39"}],"title":"veth: reduce XDP no_direct return section to fix race","x_generator":{"engine":"bippy-1.2.0"}}}}