CVE-2025-68232
Description
In the Linux kernel, the following vulnerability has been resolved:
veth: more robust handing of race to avoid txq getting stuck
Commit dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to reduce TX drops") introduced a race condition that can lead to a permanently stalled TXQ. This was observed in production on ARM64 systems (Ampere Altra Max).
The race occurs in veth_xmit(). The producer observes a full ptr_ring and stops the queue (netif_tx_stop_queue()). The subsequent conditional logic, intended to re-wake the queue if the consumer had just emptied it (if (__ptr_ring_empty(...)) netif_tx_wake_queue()), can fail. This leads to a "lost wakeup" where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) and traffic halts.
This failure is caused by an incorrect use of the __ptr_ring_empty() API from the producer side. As noted in kernel comments, this check is not guaranteed to be correct if a consumer is operating on another CPU. The empty test is based on ptr_ring->consumer_head, making it reliable only for the consumer. Using this check from the producer side is fundamentally racy.
This patch fixes the race by adopting the more robust logic from an earlier version V4 of the patchset, which always flushed the peer:
(1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier are removed. Instead, after stopping the queue, we unconditionally call __veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled, making it solely responsible for re-waking the TXQ. This handles the race where veth_poll() consumes all packets and completes NAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue. The __veth_xdp_flush(rq) will observe rx_notify_masked is false and schedule NAPI.
(2) On the consumer side, the logic for waking the peer TXQ is moved out of veth_xdp_rcv() and placed at the end of the veth_poll() function. This placement is part of fixing the race, as the netif_tx_queue_stopped() check must occur after rx_notify_masked is potentially set to false during NAPI completion. This handles the race where veth_poll() consumes all packets, but haven't finished (rx_notify_masked is still true). The producer veth_xmit() stops the TXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaning not starting NAPI. Then veth_poll() change rx_notify_masked to false and stops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wake it up.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's veth driver can permanently stall a TX queue, causing network traffic to halt.
Vulnerability
CVE-2025-68232 describes a race condition in the Linux kernel's veth (virtual Ethernet) driver that can lead to a permanently stalled transmit queue (TXQ). The issue was introduced by commit dc82a33297fc, which aimed to apply qdisc backpressure on a full ptr_ring to reduce TX drops. The race occurs in the veth_xmit() function: when the producer observes a full ptr_ring and stops the queue via netif_tx_stop_queue(), the subsequent logic intended to re-wake the queue if the consumer had just emptied it can fail. This failure is due to the incorrect use of __ptr_ring_empty() from the producer side—a check that relies on ptr_ring->consumer_head and is only reliable when called by the consumer. This leads to a 'lost wakeup' where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF), halting traffic entirely.
Exploitation
The vulnerability is triggered during normal operation of veth pairs under load. An attacker with the ability to send traffic through a vulnerable veth interface (either locally or remotely, depending on network configuration) could potentially cause the race condition. The race requires the producer and consumer to be on different CPUs, and a specific timing window where the consumer empties the ring and completes NAPI before the producer stops the queue. No special privileges beyond the ability to use the veth netdevices are needed, making it a low-complexity denial-of-service vector in container or virtualization environments where veth is commonly used. [1]
Impact
A successful exploitation results in a complete stall of the affected transmit queue, effectively stopping all outgoing traffic on that veth interface. This constitutes a denial of service (DoS). The impact is local, meaning only the system where the veth pair resides is affected, but in production environments (e.g., Kubernetes, virtual machine networking) this can disrupt critical services.
Mitigation
The fix, committed as part of the patch series, adopts more robust logic from an earlier version (V4) of the change. In veth_xmit(), the racy conditional wake-up logic is removed; instead, after stopping the queue, the function unconditionally calls __veth_xdp_flush(rq), guaranteeing that the NAPI consumer is scheduled and solely responsible for re-waking the TXQ. On the consumer side, the waking logic is moved to veth_poll(). Users should apply kernel updates containing this commit (e.g., Linux stable kernels including the patch). [1]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.