CVE-2025-68241

UNKNOWN 0.0

ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Dec 16, 2025
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

e46e23c289f62ccd8e2230d9ce652072d777ff30 < 69d35c12168f9c59b159ae566f77dfad9f96d7ca 5867e20e1808acd0c832ddea2587e5ee49813874 < 4b7210da22429765d19460d38c30eeca72656282 67d6d681e15b578c1725bad8ad079e05d1c48a8e < 298f1e0694ab4edb6092d66efed93c4554e6ced1 67d6d681e15b578c1725bad8ad079e05d1c48a8e < b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94 67d6d681e15b578c1725bad8ad079e05d1c48a8e < 041ab9ca6e80d8f792bb69df28ebf1ef39c06af8 67d6d681e15b578c1725bad8ad079e05d1c48a8e < b84f083f50ecc736a95091691339a1b363962f0e 67d6d681e15b578c1725bad8ad079e05d1c48a8e < 0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0 67d6d681e15b578c1725bad8ad079e05d1c48a8e < ac1499fcd40fe06479e9b933347b837ccabc2a40 bed8941fbdb72a61f6348c4deb0db69c4de87aca f10ce783bcc4d8ea454563a7d56ae781640e7dcb f484595be6b7ef9d095a32becabb5dae8204fb2a 3e6bd2b583f18da9856fc9741ffa200a74a52cba 5ae06218331f39ec45b5d039aa7cb3ddd4bb8008 4589a12dcf80af31137ef202be1ff4a321707a73

Linux / Linux

5.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗