LiveActive security incident?Get immediate response
CVE Record

CVE-2025-68241: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe

In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-68241 is a Linux kernel networking bug that can leak device references during a race in IPv4 route exception handling. The visible impact is a network device that cannot be cleanly unregistered, with kernel warnings. Sources do not indicate data theft, code execution, or active exploitation.

Executive priority

Schedule remediation in the normal kernel patch cycle, faster for systems relying on tunnel networking. Treat as an availability and operations risk rather than a confirmed breach-enabling issue. Escalate if vendors rate your distribution build higher.

Technical view

The race occurs between fnhe_remove_oldest() selecting an IPv4 route exception for deletion and RCU freeing it. A concurrent find_exception()/rt_bind_exception() path can bind a stale fnhe to a new dst, leaking the dst reference. The fix clears oldest->fnhe_daddr before fnhe_flush_routes(), preventing stale rebinding.

Likely exposure

Most relevant to Linux systems using affected kernel versions and tunnel or routing paths that exercise IPv4 route exceptions, including the sit driver path described in the CVE. Internet exposure is not established by the sources. Distro backports may change practical exposure.

Exploitation context

No KEV listing and no cited source reports active exploitation. The CVE describes a race condition triggered by concurrent networking activity, resulting in a reference leak and unregister_netdevice warnings. The supplied validation method is a lab reproduction, not evidence of weaponized exploitation.

Researcher notes

The CVE record provides the root cause and fix logic but no CVSS, CWE, or exploitation evidence. Affected-version data is branch-specific and should be reconciled with downstream distro backports before declaring systems vulnerable or fixed.

Mitigation direction

  • Apply Linux kernel updates containing the referenced stable fixes.
  • Use distribution kernel advisories to identify the corrected package for your branch.
  • Prioritize systems using tunnel interfaces or heavy IPv4 routing exception activity.
  • Monitor kernel logs for unregister_netdevice usage-count warnings.
  • If updates are unavailable, consult vendor guidance for branch-specific mitigation.

Validation and detection

  • Map running kernels to vendor advisories and the referenced upstream stable commits.
  • Check whether affected hosts use sit or related tunnel networking paths.
  • Review dmesg for unregister_netdevice waiting messages and usage counts.
  • Confirm updated kernels include the CVE-2025-68241 fix or equivalent backport.
  • Perform any race validation only in an isolated lab environment.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-68241 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxe46e23c289f62ccd8e2230d9ce652072d777ff30, 5867e20e1808acd0c832ddea2587e5ee49813874, 67d6d681e15b578c1725bad8ad079e05d1c48a8e, 67d6d681e15b578c1725bad8ad079e05d1c48a8e, 67d6d681e15b578c1725bad8ad079e05d1c48a8e, 67d6d681e15b578c1725bad8ad079e05d1c48a8e, 67d6d681e15b578c1725bad8ad079e05d1c48a8e, 67d6d681e15b578c1725bad8ad079e05d1c48a8e, bed8941fbdb72a61f6348c4deb0db69c4de87aca, f10ce783bcc4d8ea454563a7d56ae781640e7dcb, f484595be6b7ef9d095a32becabb5dae8204fb2a, 3e6bd2b583f18da9856fc9741ffa200a74a52cba, 5ae06218331f39ec45b5d039aa7cb3ddd4bb8008, 4589a12dcf80af31137ef202be1ff4a321707a73, 5.4.146, 5.10.65, 4.4.284, 4.9.283, 4.14.247, 4.19.207, 5.13.17, 5.14.4unaffected
LinuxLinux5.15, 0, 5.4.302, 5.10.247, 5.15.197, 6.1.159, 6.6.117, 6.12.59, 6.17.9, 6.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.