CVE-2025-68363 - Vulnerability Details

- bpf: Check skb->transport_header is set in bpf_skb_check_mtu

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Check skb->transport_header is set in bpf_skb_check_mtu

The bpf_skb_check_mtu helper needs to use skb->transport_header when
the BPF_MTU_CHK_SEGS flag is used:

bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS)

The transport_header is not always set. There is a WARN_ON_ONCE
report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set +
bpf_prog_test_run is used:

WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071
skb_gso_validate_network_len
bpf_skb_check_mtu
bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch
bpf_test_run
bpf_prog_test_run_skb

For a normal ingress skb (not test_run), skb_reset_transport_header
is performed but there is plan to avoid setting it as described in
commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").

This patch fixes the bpf helper by checking
skb_transport_header_was_set(). The check is done just before
skb->transport_header is used, to avoid breaking the existing bpf prog.
The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.

Published: 2025-12-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`34b2021cc61642d61c3cf943d9e71925b827941b`	affected	< b3171a5e4622e915e94599a55f4964078bdec27e
`34b2021cc61642d61c3cf943d9e71925b827941b`	affected	< 97b876fa88322625228792cf7a5fd77531815a80
`34b2021cc61642d61c3cf943d9e71925b827941b`	affected	< 30ce906557a21adef4cba5901c8e995dc18263a9
`34b2021cc61642d61c3cf943d9e71925b827941b`	affected	< 1c30e4afc5507f0069cc09bd561e510e4d97fbf7
`34b2021cc61642d61c3cf943d9e71925b827941b`	affected	< 942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5
`34b2021cc61642d61c3cf943d9e71925b827941b`	affected	< d946f3c98328171fa50ddb908593cf833587f725

Linux

affected

Version	Status	Constraints
`5.12`	affected	—
`0`	unaffected	< 5.12
`6.1.160`	unaffected	≤ 6.1.*
`6.6.120`	unaffected	≤ 6.6.*
`6.12.63`	unaffected	≤ 6.12.*
`6.17.13`	unaffected	≤ 6.17.*
`6.18.2`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6127-1	linux security update
Ubuntu USN	USN-8094-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8094-2	Linux kernel vulnerabilities
Ubuntu USN	USN-8094-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8094-4	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8094-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8152-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-8179-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8184-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8179-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8185-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8179-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8203-1	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-8204-1	Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN	USN-8185-2	Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN	USN-8179-4	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-8258-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8260-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8261-1	Linux kernel (Xilinx) vulnerabilities
Ubuntu USN	USN-8265-1	Linux kernel (NVIDIA Tegra) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7
https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9
https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5
https://git.kernel.org/stable/c/97b876fa88322625228792cf7a5fd77531815a80
https://git.kernel.org/stable/c/b3171a5e4622e915e94599a55f4964078bdec27e
https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725
https://lore.kernel.org/linux-cve-announce/2025122458-CVE-2025-68363-3863@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-68363
https://www.cve.org/CVERecord?id=CVE-2025-68363

History

Sun, 11 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/97b876fa88322625228792cf7a5fd77531815a80 https://git.kernel.org/stable/c/b3171a5e4622e915e94599a55f4964078bdec27e

Thu, 25 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025122458-CVE-2025-68363-3863@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-68363 https://www.cve.org/CVERecord?id=CVE-2025-68363
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 24 Dec 2025 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Check skb->transport_header is set in bpf_skb_check_mtu The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used: WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.
Title		bpf: Check skb->transport_header is set in bpf_skb_check_mtu
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7 https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9 https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5 https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-24T10:32:51.236Z

Updated: 2026-05-11T21:51:45.485Z

Reserved: 2025-12-16T14:48:05.308Z

Link: CVE-2025-68363

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2025-12-24T11:15:59.720

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68363

Redhat

Severity : Low

Publid Date: 2025-12-24T00:00:00Z

Links: CVE-2025-68363 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object