CVE-2025-68200

Linux Kernel < 5.15.197, 5.16.0-6.6.117, 6.2.0-6.12.59, 6.7.0-6.17.9 - Use-After-Free in tc_skb_cb

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block"), which added a wrong interaction with db58ba459202 ("bpf: wire in data and data_end for cls_act_bpf"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.

References (6)

Core 6

Scores

EPSS 0.0006
EPSS Percentile 18.3%

Details

Status published
Products (19)
linux/Kernel < 5.15.197linux
linux/Kernel 5.16.0 - 6.6.117linux
linux/Kernel 6.2.0 - 6.12.59linux
linux/Kernel 6.7.0 - 6.17.9linux
Linux/Linux < 5.16
Linux/Linux 0d76daf2013ce1da20eab5e26bd81d983e1c18fb - c4cdd143c35974a2cedd000fa9eb3accc3023b20
Linux/Linux 5.15.13 - 5.15.197
Linux/Linux 5.15.197 - 5.15.*
Linux/Linux 5.16
Linux/Linux 6.1.159 - 6.1.*
... and 9 more
Published Dec 16, 2025
Tracked Since Feb 18, 2026