CVE-2025-68191
Description
In the Linux kernel, the following vulnerability has been resolved:
udp_tunnel: use netdev_warn() instead of netdev_WARN()
netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug.
udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug.
Replace netdev_WARN() with netdev_warn() accordingly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel replaced netdev_WARN() with netdev_warn() in udp_tunnel_nic_register() to prevent unnecessary kernel bug splats from routine allocation failures.
Root
Cause
The Linux kernel function udp_tunnel_nic_register() used netdev_WARN() to log errors when memory allocation (via kzalloc() or udp_tunnel_nic_alloc()) failed. netdev_WARN() triggers a WARN_ON backtrace, which is intended for kernel bugs, not routine runtime errors like memory exhaustion. This mismatch caused unnecessary kernel bug reports ([1]).
Exploitation
An attacker with the ability to exhaust memory on a system can trigger this warning by causing udp_tunnel_nic_register() to fail. No special privileges are required beyond the ability to induce memory pressure. The WARN_ON can lead to system instability (e.g., panic on some configurations) or excessive log flooding.
Impact
The primary impact is a denial-of-service condition: repeated WARN_ON calls can degrade system performance, fill logs, or cause a kernel panic depending on the kernel configuration. The information leak is minimal since the backtrace reveals kernel addresses but not sensitive data.
Mitigation
The fix replaces netdev_WARN() with netdev_warn(), which logs a warning without triggering a kernel bug splat. The patch has been backported to multiple stable kernel trees as referenced in [1]. Users should apply the latest stable updates to eliminate the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/087f1ed450dc6e7e49ffbbbe5b78be1218c6d5e0nvd
- git.kernel.org/stable/c/3c3b148bf8384c8a787753cf20abde1c5731f97fnvd
- git.kernel.org/stable/c/45e4e4a8772fa1c5f6f38e82b732b3a9d8137af4nvd
- git.kernel.org/stable/c/51b3033088f0420b19027e3d54cd989b6ebd987envd
- git.kernel.org/stable/c/7758ec35ff3e9a31558eda4f0f9eb0ddfa78a8banvd
- git.kernel.org/stable/c/c018a87942bf1607aeebf8dba5a210ca9a09a0fdnvd
- git.kernel.org/stable/c/dc2f650f7e6857bf384069c1a56b2937a1ee370dnvd
News mentions
0No linked articles in our index yet.