CVE-2025-68363
Unknown Unknown - Not Provided
Use-After-Initialization in Linux Kernel BPF skb Transport Header Handling

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Check skb->transport_header is set in bpf_skb_check_mtu The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used: WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68363
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is in the Linux kernel's BPF subsystem, specifically in the bpf_skb_check_mtu helper function. The function needs to use the skb->transport_header field when the BPF_MTU_CHK_SEGS flag is set, but this field is not always set, which can cause warnings and potential issues. The patch fixes this by checking if the transport_header was set before using it, preventing improper access and avoiding warnings during BPF program test runs.


How can this vulnerability impact me? :

The vulnerability can cause warnings and potential instability when running BPF programs that check MTU with the BPF_MTU_CHK_SEGS flag, especially during testing with bpf_prog_test_run. This could lead to unexpected behavior or crashes in network packet processing within the kernel, affecting system reliability and network functionality.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves monitoring for WARN_ON_ONCE messages related to skb_gso_validate_network_len in the kernel logs, especially when CONFIG_DEBUG_NET is enabled and skb->gso_size is set. You can check kernel logs using commands like 'dmesg | grep skb_gso_validate_network_len' or 'journalctl -k | grep skb_gso_validate_network_len'. Additionally, running BPF programs with bpf_prog_test_run may trigger the warning if the vulnerability is present.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating the Linux kernel to a version that includes the patch fixing the bpf_skb_check_mtu helper to properly check skb_transport_header_was_set() before using skb->transport_header. Enabling CONFIG_DEBUG_NET can help detect the issue during testing. Avoid using vulnerable BPF programs that rely on bpf_skb_check_mtu with the BPF_MTU_CHK_SEGS flag until patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart