LiveActive security incident?Get immediate response
CVE Record

CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path

In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel availability issue in IPVS, the load-balancing component behind some virtual server setups. Under a specific IPv4 NAT route-error condition, the kernel can dereference a missing network device pointer and crash. The sources do not show data theft, privilege escalation, or active exploitation.

Executive priority

Treat as a focused availability risk for Linux load-balancing infrastructure. Prioritize patching where IPVS NAT supports production traffic, but do not escalate as known exploited based on the supplied evidence.

Technical view

In __ip_vs_get_out_rt(), the IPv4 error path can call dst_link_failure() while skb->dev is NULL. ipv4_link_failure() can then reach fib_compute_spec_dst(), which dereferences skb->dev. The described fix mirrors the IPv6 path by setting skb->dev from skb_dst(skb)->dev before dst_link_failure().

Likely exposure

Exposure is likely limited to Linux systems using IPVS in NAT mode on affected kernel versions, especially where destination or routing configuration can trigger route lookup failure. Systems not using IPVS NAT are less likely exposed based on the provided description.

Exploitation context

The bundle cites a KASAN crash trace and says the crash occurs with IPVS NAT mode, a misconfigured destination, and route lookup failure. CISA KEV status is false, and no cited source claims active exploitation or public weaponization.

Researcher notes

The vulnerability is tied to an incomplete prior IPv4 fix after ipv4_link_failure began recompiling IP options. The key condition is skb->dev remaining NULL when dst_link_failure() is called from the IPVS IPv4 NAT route-error path.

Mitigation direction

  • Apply Linux kernel updates containing the referenced stable fixes.
  • Prioritize IPVS NAT hosts and load balancers first.
  • Review vendor distribution advisories for exact patched package versions.
  • Reduce exposure to untrusted traffic where IPVS NAT is required.
  • Correct known IPVS destination or routing misconfigurations.

Validation and detection

  • Inventory Linux hosts using IPVS or IPVS NAT mode.
  • Compare running kernel versions against vendor fixed releases.
  • Check whether referenced stable commits are present in the kernel tree.
  • Review logs for kernel crashes matching the supplied call trace.
  • Confirm IPVS destination routing is valid and monitored.
Prepared
Confidence
high
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-68813 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxed0de45a1008991fdaa27a0152befcb74d126a8b, ed0de45a1008991fdaa27a0152befcb74d126a8b, ed0de45a1008991fdaa27a0152befcb74d126a8b, ed0de45a1008991fdaa27a0152befcb74d126a8b, ed0de45a1008991fdaa27a0152befcb74d126a8b, ed0de45a1008991fdaa27a0152befcb74d126a8b, ed0de45a1008991fdaa27a0152befcb74d126a8b, 6c2fa855d8178699706b1192db2f1f8102b0ba1e, fbf569d2beee2a4a7a0bc8b619c26101d1211a88, ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38, 3d988fcddbe7b8673a231958bd2fba61b5a7ced9, 8a430e56a6485267a1b2d3747209d26c54d1a34b, 6bd1ee0a993fc9574ae43c1994c54a60cb23a380, 3.18.139, 4.4.179, 4.9.171, 4.14.114, 4.19.37, 5.0.10unaffected
LinuxLinux5.1, 0, 5.10.248, 5.15.198, 6.1.160, 6.6.120, 6.12.64, 6.18.3, 6.19affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.