CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix ipv4 null-ptr-deref in route error path
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
__ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
<TASK>
spec_dst_fill net/ipv4/ip_options.c:232
spec_dst_fill net/ipv4/ip_options.c:229
__ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
ipv4_send_dest_unreach net/ipv4/route.c:1252
ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
dst_link_failure include/net/dst.h:437
__ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel availability issue in IPVS, the load-balancing component behind some virtual server setups. Under a specific IPv4 NAT route-error condition, the kernel can dereference a missing network device pointer and crash. The sources do not show data theft, privilege escalation, or active exploitation.
Executive priority
Treat as a focused availability risk for Linux load-balancing infrastructure. Prioritize patching where IPVS NAT supports production traffic, but do not escalate as known exploited based on the supplied evidence.
Technical view
In __ip_vs_get_out_rt(), the IPv4 error path can call dst_link_failure() while skb->dev is NULL. ipv4_link_failure() can then reach fib_compute_spec_dst(), which dereferences skb->dev. The described fix mirrors the IPv6 path by setting skb->dev from skb_dst(skb)->dev before dst_link_failure().
Likely exposure
Exposure is likely limited to Linux systems using IPVS in NAT mode on affected kernel versions, especially where destination or routing configuration can trigger route lookup failure. Systems not using IPVS NAT are less likely exposed based on the provided description.
Exploitation context
The bundle cites a KASAN crash trace and says the crash occurs with IPVS NAT mode, a misconfigured destination, and route lookup failure. CISA KEV status is false, and no cited source claims active exploitation or public weaponization.
Researcher notes
The vulnerability is tied to an incomplete prior IPv4 fix after ipv4_link_failure began recompiling IP options. The key condition is skb->dev remaining NULL when dst_link_failure() is called from the IPVS IPv4 NAT route-error path.
Mitigation direction
Apply Linux kernel updates containing the referenced stable fixes.
Prioritize IPVS NAT hosts and load balancers first.
Review vendor distribution advisories for exact patched package versions.
Reduce exposure to untrusted traffic where IPVS NAT is required.
Correct known IPVS destination or routing misconfigurations.
Validation and detection
Inventory Linux hosts using IPVS or IPVS NAT mode.
Compare running kernel versions against vendor fixed releases.
Check whether referenced stable commits are present in the kernel tree.
Review logs for kernel crashes matching the supplied call trace.
Confirm IPVS destination routing is valid and monitored.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-68813 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.