{"id":"CVE-2025-68241","summary":"ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe\n\nThe sit driver's packet transmission path calls: sit_tunnel_xmit() -\u003e\nupdate_or_create_fnhe(), which lead to fnhe_remove_oldest() being called\nto delete entries exceeding FNHE_RECLAIM_DEPTH+random.\n\nThe race window is between fnhe_remove_oldest() selecting fnheX for\ndeletion and the subsequent kfree_rcu(). During this time, the\nconcurrent path's __mkroute_output() -\u003e find_exception() can fetch the\nsoon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a\nnew dst using a dst_hold(). When the original fnheX is freed via RCU,\nthe dst reference remains permanently leaked.\n\nCPU 0 CPU 1\n__mkroute_output()\n find_exception() [fnheX]\n update_or_create_fnhe()\n fnhe_remove_oldest() [fnheX]\n rt_bind_exception() [bind dst]\n RCU callback [fnheX freed, dst leak]\n\nThis issue manifests as a device reference count leak and a warning in\ndmesg when unregistering the net device:\n\n unregister_netdevice: waiting for sitX to become free. Usage count = N\n\nIdo Schimmel provided the simple test validation method [1].\n\nThe fix clears 'oldest-\u003efnhe_daddr' before calling fnhe_flush_routes().\nSince rt_bind_exception() checks this field, setting it to zero prevents\nthe stale fnhe from being reused and bound to a new dst just before it\nis freed.\n\n[1]\nip netns add ns1\nip -n ns1 link set dev lo up\nip -n ns1 address add 192.0.2.1/32 dev lo\nip -n ns1 link add name dummy1 up type dummy\nip -n ns1 route add 192.0.2.2/32 dev dummy1\nip -n ns1 link add name gretap1 up arp off type gretap \\\n local 192.0.2.1 remote 192.0.2.2\nip -n ns1 route add 198.51.0.0/16 dev gretap1\ntaskset -c 0 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &\ntaskset -c 2 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &\nsleep 10\nip netns pids ns1 | xargs kill\nip netns del ns1","modified":"2026-05-07T04:16:41.376342Z","published":"2025-12-16T14:21:18.682Z","related":["SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68241.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282"},{"type":"WEB","url":"https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68241.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68241"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e46e23c289f62ccd8e2230d9ce652072d777ff30"},{"fixed":"69d35c12168f9c59b159ae566f77dfad9f96d7ca"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5867e20e1808acd0c832ddea2587e5ee49813874"},{"fixed":"4b7210da22429765d19460d38c30eeca72656282"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"67d6d681e15b578c1725bad8ad079e05d1c48a8e"},{"fixed":"298f1e0694ab4edb6092d66efed93c4554e6ced1"},{"fixed":"b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94"},{"fixed":"041ab9ca6e80d8f792bb69df28ebf1ef39c06af8"},{"fixed":"b84f083f50ecc736a95091691339a1b363962f0e"},{"fixed":"0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0"},{"fixed":"ac1499fcd40fe06479e9b933347b837ccabc2a40"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"bed8941fbdb72a61f6348c4deb0db69c4de87aca"},{"last_affected":"f10ce783bcc4d8ea454563a7d56ae781640e7dcb"},{"last_affected":"f484595be6b7ef9d095a32becabb5dae8204fb2a"},{"last_affected":"3e6bd2b583f18da9856fc9741ffa200a74a52cba"},{"last_affected":"5ae06218331f39ec45b5d039aa7cb3ddd4bb8008"},{"last_affected":"4589a12dcf80af31137ef202be1ff4a321707a73"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68241.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.302"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.6.117"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.12.59"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.17.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68241.json"}}],"schema_version":"1.7.5"}