CVE-2025-68341
Unknown Unknown - Not Provided

Race Condition in Linux Kernel veth Component Causes Descriptor Corruption

Vulnerability report for CVE-2025-68341, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: veth: reduce XDP no_direct return section to fix race As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing old or uninitialized descriptors") for veth there is a chance after napi_complete_done() that another CPU can manage start another NAPI instance running veth_pool(). For NAPI this is correctly handled as the napi_schedule_prep() check will prevent multiple instances from getting scheduled, but for the remaining code in veth_pool() this can run concurrent with the newly started NAPI instance. The problem/race is that xdp_clear_return_frame_no_direct() isn't designed to be nested. Prior to commit 401cb7dae813 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") the temporary BPF net context bpf_redirect_info was stored per CPU, where this wasn't an issue. Since this commit the BPF context is stored in 'current' task_struct. When running veth in threaded-NAPI mode, then the kthread becomes the storage area. Now a race exists between two concurrent veth_pool() function calls one exiting NAPI and one running new NAPI, both using the same BPF net context. Race is when another CPU gets within the xdp_set_return_frame_no_direct() section before exiting veth_pool() calls the clear-function xdp_clear_return_frame_no_direct().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-07-06
AI Q&A
2025-12-23
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Linux kernel's veth (virtual Ethernet) implementation related to the XDP (eXpress Data Path) no_direct return section. Specifically, after napi_complete_done(), another CPU can start a new NAPI instance running veth_pool() concurrently with an existing one. The function xdp_clear_return_frame_no_direct() is not designed to be nested, leading to a race between two concurrent veth_pool() calls sharing the same BPF net context stored in the current task_struct. This race can cause exposure of old or uninitialized descriptors.

Impact Analysis

This race condition can lead to exposure of old or uninitialized descriptors in the veth interface, potentially causing incorrect or unexpected behavior in network packet processing. This may result in data corruption, instability, or security issues in systems relying on the affected Linux kernel networking components.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart