CVE-2025-68768

Linux Kernel 5.3-6.18.2 - Denial of Service via Fragment Queue Deadlock

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack.

Scores

EPSS 0.0017
EPSS Percentile 6.4%

Details

Status published
Products (14)
linux/Kernel 5.3.0 - 6.18.3linux
linux/Kernel 5.3.0 - 6.6.143linux
linux/Kernel 6.13.0 - 6.18.3linux
linux/Kernel 6.7.0 - 6.12.93linux
Linux/Linux < 5.3
Linux/Linux 5.3
Linux/Linux 6.12.93 - 6.12.*
Linux/Linux 6.18.3 - 6.18.*
Linux/Linux 6.19
Linux/Linux 6.6.143 - 6.6.*
... and 4 more
Published Jan 13, 2026
Tracked Since Feb 18, 2026