CVE-2025-68234

Vulnerability

Overview

In the Linux kernel's io_uring subsystem, specifically in the cmd_net path, a bug exists in the skb_queue_splice() function call. When timestamp retrieval needs to be retried and the local list of SKBs already has entries, the code attempts to splice the list back into the socket queue. However, the arguments to the splice helper are transposed, causing the splice to occur in the wrong direction—into the on-stack list instead of back into the socket queue [1].

Exploitation

Conditions

This vulnerability is triggered during a specific error-handling path: when timestamp retrieval is retried and the local SKB list is non-empty. An attacker would need to be able to influence the timing or state of network operations to cause such a retry. The bug is a logic error in kernel code, not a direct user-triggerable flaw, but it could be exploited by a local user with access to io_uring operations or by a remote attacker if the system is processing network packets in a way that triggers the retry path.

Impact

If exploited, the incorrect splicing could lead to data corruption within the kernel's network stack, as SKBs are moved to the wrong list. This could result in memory corruption, system instability, or a denial of service. The exact impact depends on the kernel's memory management and the state of the socket queue at the time of the bug.

Mitigation

The fix is included in the Linux kernel stable tree as commit c85d2cfc5e24e6866b56c7253fd4e1c7db35986c [1]. Users should update their kernels to a version containing this patch. No workaround is available beyond applying the kernel update.