CVE-2025-68188

Vulnerability

In the Linux kernel's TCP stack, the function tcp_fastopen_active_disable_ofo_check() directly accessed the flags field of a dst_entry's associated device (dst_dev via dst_dev()`. This operation was performed without RCU protection, creating a race condition where the device could be freed while being read, leading to a use-after-free (UAF) scenario [1][2].

Exploitation

An attacker would need to trigger the fast open path in TCP and race the device removal with the check in tcp_fastopen_active_disable_ofo_check(). The vulnerability is local to the kernel and requires no special privileges beyond network access; it can be triggered by normal TCP traffic patterns that cause the fast open code to evaluate whether to disable active fast open [1][2].

Impact

A successful exploit could allow an attacker to cause a kernel crash (denial of service) or potentially escalate privileges if the freed memory is reused in a controlled manner. The vulnerability is classified as a use-after-free, which often leads to code execution in kernel contexts [1][2].

Mitigation

The fix replaces the unprotected dst_dev() call with dst_dev_rcu(), which uses RCU to safely access the device pointer without atomic operations and prevents the UAF. The patch has been applied to the Linux kernel stable tree [1][1][2]. Users should update to a kernel version containing the commit b62a59c18b69 or 06da08d9355b.