CVE-2025-68813 (CNNVD-202601-2223)

UNKNOWN
中文标题:
Linux kernel 安全漏洞
英文标题:
ipvs: fix ipv4 null-ptr-deref in route error path
CVSS分数: N/A
发布时间: 2026-01-13 15:29:18
漏洞类型: 其他
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v3
漏洞描述
中文描述:

Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于在路由错误路径中未设置skb->dev,可能导致空指针取消引用。

英文描述:

In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764

CWE类型:
(暂无数据)
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
Linux Linux 6c2fa855d8178699706b1192db2f1f8102b0ba1e - - cpe:2.3:a:linux:linux:6c2fa855d8178699706b1192db2f1f8102b0ba1e:*:*:*:*:*:*:*
Linux Linux fbf569d2beee2a4a7a0bc8b619c26101d1211a88 - - cpe:2.3:a:linux:linux:fbf569d2beee2a4a7a0bc8b619c26101d1211a88:*:*:*:*:*:*:*
Linux Linux ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38 - - cpe:2.3:a:linux:linux:ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38:*:*:*:*:*:*:*
Linux Linux 3d988fcddbe7b8673a231958bd2fba61b5a7ced9 - - cpe:2.3:a:linux:linux:3d988fcddbe7b8673a231958bd2fba61b5a7ced9:*:*:*:*:*:*:*
Linux Linux 8a430e56a6485267a1b2d3747209d26c54d1a34b - - cpe:2.3:a:linux:linux:8a430e56a6485267a1b2d3747209d26c54d1a34b:*:*:*:*:*:*:*
Linux Linux 6bd1ee0a993fc9574ae43c1994c54a60cb23a380 - - cpe:2.3:a:linux:linux:6bd1ee0a993fc9574ae43c1994c54a60cb23a380:*:*:*:*:*:*:*
Linux Linux 5.1 - - cpe:2.3:a:linux:linux:5.1:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
无标题 OTHER
cve.org
访问
无标题 OTHER
cve.org
访问
无标题 OTHER
cve.org
访问
无标题 OTHER
cve.org
访问
无标题 OTHER
cve.org
访问
CVSS评分详情
暂无CVSS评分信息
时间信息
发布时间:
2026-01-13 15:29:18
修改时间:
2026-01-13 15:29:18
创建时间:
2026-01-14 06:08:04
更新时间:
2026-01-16 02:48:23
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2025-68813 2026-01-14 02:22:03 2026-01-14 06:08:04
NVD nvd_CVE-2025-68813 2026-01-14 03:00:13 2026-01-14 06:14:35
CNNVD cnnvd_CNNVD-202601-2223 2026-01-15 01:52:31 2026-01-15 01:53:19
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2026-01-15 01:53:19
vulnerability_type: 未提取 → 其他; severity: SeverityLevel.MEDIUM → SeverityLevel.UNKNOWN; cvss_score: 未提取 → 0.0; cnnvd_id: 未提取 → CNNVD-202601-2223; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 其他
  • severity: SeverityLevel.MEDIUM -> SeverityLevel.UNKNOWN
  • cvss_score: 未提取 -> 0.0
  • cnnvd_id: 未提取 -> CNNVD-202601-2223
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2026-01-14 06:14:35
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']