CVE-2025-68245
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-18
Generated
2026-05-07
AI Q&A
2025-12-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68245
EUVD
EUVD-2025-203651
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is in the Linux kernel's netpoll feature. It involves incorrect reference count handling during netpoll cleanup. Specifically, a commit intended to fix a use-after-free issue ignored the reference count and prematurely set a network device's npinfo pointer to NULL. This caused improper cleanup behavior: when multiple netpoll instances share the same npinfo, the first cleanup clears the pointer without checking the reference count, preventing the second cleanup from running properly. As a result, memory leaks occur because npinfo and associated skb pools are not cleaned up correctly.


How can this vulnerability impact me? :

This vulnerability can lead to memory leaks in the Linux kernel's netpoll subsystem. When multiple netpoll instances share the same npinfo, improper cleanup causes npinfo and skb pools to remain allocated, wasting system memory. Over time, this can degrade system performance or stability due to resource exhaustion.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for memory leaks related to netpoll instances, specifically leaks of npinfo and skbpool skbs. The description mentions that such leaks are clearly reported by kmemleak, a Linux kernel memory leak detector. Therefore, using kmemleak to scan for memory leaks involving netpoll npinfo and skbpool skbs can help detect this issue. Specific commands include enabling kmemleak and checking its reports, for example: 1) Enable kmemleak by adding 'kmemleak=on' to the kernel boot parameters. 2) Trigger kmemleak scan by writing 'scan' to /sys/kernel/debug/kmemleak. 3) Read the kmemleak report from /sys/kernel/debug/kmemleak to identify leaks related to netpoll.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves ensuring that the netpoll cleanup process correctly handles the reference counting of npinfo. Since the vulnerability arises from premature cleanup ignoring the refcount, the fix is to revert the problematic commit and ensure that npinfo cleanup only occurs when the reference count reaches zero. Practically, this means updating the Linux kernel to a version that includes the fix which reverts commit efa95b01da18 and properly manages npinfo refcount during netpoll cleanup. Until such an update is applied, monitoring for memory leaks and avoiding multiple netpoll instances on the same NIC may reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart