{"id":"CVE-2025-68725","summary":"bpf: Do not let BPF test infra emit invalid GSO types to stack","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do not let BPF test infra emit invalid GSO types to stack\n\nYinhao et al. reported that their fuzzer tool was able to trigger a\nskb_warn_bad_offload() from netif_skb_features() -\u003e gso_features_check().\nWhen a BPF program - triggered via BPF test infra - pushes the packet\nto the loopback device via bpf_clone_redirect() then mentioned offload\nwarning can be seen. GSO-related features are then rightfully disabled.\n\nWe get into this situation due to convert___skb_to_skb() setting\ngso_segs and gso_size but not gso_type. Technically, it makes sense\nthat this warning triggers since the GSO properties are malformed due\nto the gso_type. Potentially, the gso_type could be marked non-trustworthy\nthrough setting it at least to SKB_GSO_DODGY without any other specific\nassumptions, but that also feels wrong given we should not go further\ninto the GSO engine in the first place.\n\nThe checks were added in 121d57af308d (\"gso: validate gso_type in GSO\nhandlers\") because there were malicious (syzbot) senders that combine\na protocol with a non-matching gso_type. If we would want to drop such\npackets, gso_features_check() currently only returns feature flags via\nnetif_skb_features(), so one location for potentially dropping such skbs\ncould be validate_xmit_unreadable_skb(), but then otoh it would be\nan additional check in the fast-path for a very corner case. Given\nbpf_clone_redirect() is the only place where BPF test infra could emit\nsuch packets, lets reject them right there.","modified":"2026-03-31T17:29:44.330676Z","published":"2025-12-24T10:33:09.610Z","related":["SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:10039-1","openSUSE-SU-2026:10301-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68725.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/04a899573fb87273a656f178b5f920c505f68875"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0f3a60869ca22024dfb9c6fce412b0c70cb4ea36"},{"type":"WEB","url":"https://git.kernel.org/stable/c/768376ece7036ecb8604961793a1b72afe6345dd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8670b53b8ee91f028f7240531064020b7413c461"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bb7902ed7d7f6d6a7c6c4dc25410d6127ce1085f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e0ffb64a2d72c6705b4a4c9efef600409f7e98a0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fbea4c63b5385588cb44ab21f91e55e33c719a54"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68725.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68725"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"850a88cc4096fe1df407452ba2e4d28cf5b3eee9"},{"fixed":"bb7902ed7d7f6d6a7c6c4dc25410d6127ce1085f"},{"fixed":"e0ffb64a2d72c6705b4a4c9efef600409f7e98a0"},{"fixed":"768376ece7036ecb8604961793a1b72afe6345dd"},{"fixed":"8670b53b8ee91f028f7240531064020b7413c461"},{"fixed":"0f3a60869ca22024dfb9c6fce412b0c70cb4ea36"},{"fixed":"fbea4c63b5385588cb44ab21f91e55e33c719a54"},{"fixed":"04a899573fb87273a656f178b5f920c505f68875"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68725.json"}}],"schema_version":"1.7.5"}