CVE-2025-68200
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Add bpf_prog_run_data_pointers()
syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block"), which added a wrong interaction with db58ba459202 ("bpf: wire in data and data_end for cls_act_bpf").
drop_reason was added later.
Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, BPF programs in cls_bpf can corrupt tc_skb_cb drop_reason, causing a kernel warning; fixed by adding bpf_prog_run_data_pointers().
Vulnerability
A vulnerability exists in the Linux kernel's BPF and net/sched subsystems where the cls_bpf_classify() function can modify the drop_reason field in tc_skb_cb. This field was introduced to track the reason for dropping packets, but when a BPF program is executed via cls_bpf_classify(), it writes BPF's data pointers (data_meta/data_end) into the same storage area that holds the drop_reason, corrupting it. This leads to a kernel warning in sk_skb_reason_drop().
Exploitation
An attacker who can attach a BPF program to a tc classifier (requires CAP_NET_ADMIN) can trigger this issue by sending packets that cause the BPF program to run. No other authentication is needed. The bug was discovered by syzbot, indicating it can be triggered without special privileges beyond the ability to configure BPF programs.
Impact
When the corrupted drop_reason is used, a warning is generated: WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop. This results in a kernel panic or at least a denial of service due to the warning. There is no evidence of code execution beyond this warning.
Mitigation
The fix is committed in Linux kernel stable branches as patches [1][2]. The commit introduces bpf_prog_run_data_pointers() to save and restore the net_sched storage that collides with BPF data pointers. Users should apply the latest kernel updates to mitigate the issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/4ef92743625818932b9c320152b58274c05e5053nvd
- git.kernel.org/stable/c/5e149d8a8e732126fb6014efd60075cf63a73f91nvd
- git.kernel.org/stable/c/6392e5f4b1a3cce10e828309baf35d22abd3457dnvd
- git.kernel.org/stable/c/8dd2fe5f5d586c8e87307b7a271f6b994afcc006nvd
- git.kernel.org/stable/c/baa61dcaa50b7141048c8d2aede7fe9ed8f21d11nvd
- git.kernel.org/stable/c/c4cdd143c35974a2cedd000fa9eb3accc3023b20nvd
News mentions
0No linked articles in our index yet.