CVE-2025-68192
Description
In the Linux kernel, the following vulnerability has been resolved:
net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks.
Initialize the MAC header to prevent such crashes.
This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface.
Example trace:
Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's qmi_wwan driver, uninitialized MAC header offset in qmimux_rx_fixup causes kernel panics on ARM64 when IPsec traffic.
Vulnerability
In the Linux kernel's qmi_wwan driver, the qmimux_rx_fixup function processes raw IP packets that lack a MAC header. The skb->mac_header offset is left uninitialized, which can trigger kernel panics on ARM64 architectures when subsystems like xfrm (IPsec) access the offset due to strict alignment checks [1].
Exploitation
An attacker can trigger this vulnerability by sending specially crafted network traffic that reaches the qmimux0 interface, specifically IPsec (ESP) packets processed by the xfrm subsystem. The crash occurs during packet reception in the network stack, as shown in the kernel trace where xfrm_input dereferences the uninitialized MAC header offset [1]. No authentication or special privileges are required beyond sending crafted packets to the vulnerable interface.
Impact
Successful exploitation leads to a kernel panic (Oops) on ARM64 systems, causing a denial of service (DoS). The crash trace shows the panic in xfrm_input during IPsec processing, which can be triggered by remote packets from the network [1].
Mitigation
The fix initializes the MAC header offset in qmimux_rx_fixup to prevent the crash. The patch has been applied to the Linux kernel stable tree [1]. Users should update to a kernel version containing this fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0aabccdcec1f4a36f95829ea2263f845bbc77223nvd
- git.kernel.org/stable/c/4e6b9004f01d0fef5b19778399bc5bf55f8c2d71nvd
- git.kernel.org/stable/c/8ab3b8f958d861a7f725a5be60769106509fbd69nvd
- git.kernel.org/stable/c/ae811175cea35b03ac6d7c910f43a82a43b9c3b3nvd
- git.kernel.org/stable/c/bf527b80b80a282ab5bf1540546211fc35e5cd42nvd
- git.kernel.org/stable/c/d693c47fb902b988f5752182e4f7fbde5e6dcaf9nvd
- git.kernel.org/stable/c/dd03780c29f87c26c0e0bb7e0db528c8109461fbnvd
- git.kernel.org/stable/c/e120f46768d98151ece8756ebd688b0e43dc8b29nvd
News mentions
0No linked articles in our index yet.