CVE-2025-68206
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: add seqadj extension for natted connections
Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq.
The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet }
chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } }
chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } }
Note that the ftp helper gets assigned *after* the dnat setup.
The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem.
Topoloy:
+-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+
ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection.
Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 ..
Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel netfilter missing seqadj extension for natted FTP connections causes connection failures when helper is assigned after DNAT.
Vulnerability
CVE-2025-68206 is a bug in the Linux kernel's netfilter subsystem. When a conntrack helper (e.g., for FTP) is assigned to a connection *after* a DNAT rule has already been applied, the kernel fails to allocate the necessary sequence-adjust (seqadj) the TCP sequence numbers for the NATted connection. This is required because FTP control connections carry embedded IP addresses and ports in PASV/EPSV mode replies, which need to be rewritten by NAT, and the TCP sequence/acknowledgment numbers must be adjusted accordingly. The missing seqadj extension leads to corrupted packet payloads and broken connections.
Exploitation
The vulnerability is triggered by a specific ordering of netfilter rules: a DNAT rule that matches on tcp dport 21 and a separate rule that sets the FTP conntrack helper on ct state new. If the helper assignment happens after the DNAT transformation, the kernel does not allocate the necessary nfct_seqadj_ext extension for the conntrack entry. An attacker on the same network as the NAT gateway can exploit this by initiating an FTP data connection (PASV or EPSV mode) through the gateway. The client will receive a malformed passive mode response containing the NAT gateway's external IP and a port, but the kernel's failure to adjust TCP sequence numbers causes the data connection to fail, resulting in a "421 Service not available" error and connection closure.
Impact
A remote attacker can cause a denial of service (DoS) condition for FTP traffic that uses FTP with NAT and a conntrack helper. The affected system will fail to properly handle FTP data connections, making the service unavailable. The bug does not allow arbitrary code execution or privilege escalation, but it disrupts legitimate FTP traffic through the NAT gateway.
Mitigation
The fix has been applied to the Linux kernel stable tree in commit [1]. Users should update their kernel to a version containing this patch. The fix ensures that the seqadj extension is added for natted connections regardless of the order of helper assignment. No workaround is available other than avoiding the specific rule ordering that triggers the bug.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6nvd
- git.kernel.org/stable/c/4ab2cd906e4e1a19ddbda6eb532851b0e9cda110nvd
- git.kernel.org/stable/c/4de80f0dc3868408dd7fe9817e507123c9dd8bb0nvd
- git.kernel.org/stable/c/83273af0b60c093ba0085c205864d8542e1b1653nvd
- git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2nvd
- git.kernel.org/stable/c/b19492c25eff04852e0cb58f9bb8238b6695ed2dnvd
- git.kernel.org/stable/c/b477ef7fa612fa45b6b3134d90d1eeb09396500anvd
News mentions
0No linked articles in our index yet.