CVE-2025-68813

The IPv4 code path in _ipvsgetoutrt() calls dstlinkfailure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fibcomputespecdst() when ipv4linkfailure() attempts to send ICMP destination unreachable messages.

The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4linkfailure") started calling _ipoptionscompile() from ipv4linkfailure(). This code path eventually calls fibcomputespecdst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4linkfailure"), but it only addressed the immediate devnet(skb->dev) dereference by using a fallback device. The fix was incomplete because fibcomputespecdst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dstlinkfailure().

The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ipvsget_outrt() before establishing a route 3. The error path calls dstlinkfailure(skb) with skb->dev == NULL 4. ipv4linkfailure() → ipv4senddestunreach() → __ipoptionscompile() → fibcomputespecdst() 5. fibcomputespecdst() dereferences NULL skb->dev

Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skbdst(skb)->dev before calling dstlink_failure().

KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__indevget_rcu include/linux/inetdevice.h:233 RIP: 0010:fibcomputespecdst+0x17a/0x9f0 net/ipv4/fibfrontend.c:285 Call Trace: <TASK> specdstfill net/ipv4/ipoptions.c:232 specdstfill net/ipv4/ipoptions.c:229 __ipoptionscompile+0x13a1/0x17d0 net/ipv4/ipoptions.c:330 ipv4senddestunreach net/ipv4/route.c:1252 ipv4linkfailure+0x702/0xb80 net/ipv4/route.c:1265 dstlinkfailure include/net/dst.h:437 _ipvsgetoutrt+0x15fd/0x19e0 net/netfilter/ipvs/ipvsxmit.c:412 ipvsnatxmit+0x1d8/0xc80 net/netfilter/ipvs/ipvsxmit.c:764

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68813.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ed0de45a1008991fdaa27a0152befcb74d126a8b

Fixed

dd72a93c80408f06327dd2d956eb1a656d0b5903

Fixed

312d7cd88882fc6cadcc08b02287497aaaf94bcd

Fixed

cdeff10851c37a002d87a035818ebd60fdb74447

Fixed

4729ff0581fbb7ad098b6153b76b6f5aac94618a

Fixed

25ab24df31f7af843c96a38e0781b9165216e1a8

Fixed

689a627d14788ad772e0fa24c2e57a23dbc7ce90

Fixed

ad891bb3d079a46a821bf2b8867854645191bab0

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

6c2fa855d8178699706b1192db2f1f8102b0ba1e

Last affected

fbf569d2beee2a4a7a0bc8b619c26101d1211a88

Last affected

ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38

Last affected

3d988fcddbe7b8673a231958bd2fba61b5a7ced9

Last affected

8a430e56a6485267a1b2d3747209d26c54d1a34b

Last affected

6bd1ee0a993fc9574ae43c1994c54a60cb23a380

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68813.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1.0

Fixed

5.10.248

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.198

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.160

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.120

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.64

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68813.json"