CVE-2025-68341
Unknown Unknown - Not Provided
Race Condition in Linux Kernel veth Component Causes Descriptor Corruption

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: veth: reduce XDP no_direct return section to fix race As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing old or uninitialized descriptors") for veth there is a chance after napi_complete_done() that another CPU can manage start another NAPI instance running veth_pool(). For NAPI this is correctly handled as the napi_schedule_prep() check will prevent multiple instances from getting scheduled, but for the remaining code in veth_pool() this can run concurrent with the newly started NAPI instance. The problem/race is that xdp_clear_return_frame_no_direct() isn't designed to be nested. Prior to commit 401cb7dae813 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") the temporary BPF net context bpf_redirect_info was stored per CPU, where this wasn't an issue. Since this commit the BPF context is stored in 'current' task_struct. When running veth in threaded-NAPI mode, then the kthread becomes the storage area. Now a race exists between two concurrent veth_pool() function calls one exiting NAPI and one running new NAPI, both using the same BPF net context. Race is when another CPU gets within the xdp_set_return_frame_no_direct() section before exiting veth_pool() calls the clear-function xdp_clear_return_frame_no_direct().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-05-07
AI Q&A
2025-12-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68341
EUVD
EUVD-2025-204801
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's veth (virtual Ethernet) implementation related to the XDP (eXpress Data Path) no_direct return section. Specifically, after napi_complete_done(), another CPU can start a new NAPI instance running veth_pool() concurrently with an existing one. The function xdp_clear_return_frame_no_direct() is not designed to be nested, leading to a race between two concurrent veth_pool() calls sharing the same BPF net context stored in the current task_struct. This race can cause exposure of old or uninitialized descriptors.


How can this vulnerability impact me? :

This race condition can lead to exposure of old or uninitialized descriptors in the veth interface, potentially causing incorrect or unexpected behavior in network packet processing. This may result in data corruption, instability, or security issues in systems relying on the affected Linux kernel networking components.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart