CVE-2025-68241
Description
In the Linux kernel, the following vulnerability has been resolved:
ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random.
The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked.
CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak]
This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device:
unregister_netdevice: waiting for sitX to become free. Usage count = N
Ido Schimmel provided the simple test validation method [1].
The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed.
[1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a race condition in IPv4 routing (fnhe) causes a dst refcount leak, detectable as a device usage count warning on unregister.
Vulnerability
CVE-2025-68241 describes a race condition in the Linux kernel's IPv4 routing subsystem. The fnhe_remove_oldest() function, called during update_or_create_fnhe() from the SIT (Simple Internet Transition) tunnel transmit path (e.g., sit_tunnel_xmit()), selects a cached next-hop exception (fnhe) entry for deletion. A race window exists between when an entry is selected for removal and when it is actually freed via RCU: a concurrent __mkroute_output() → find_exception() can access the soon-to-be-deleted entry, and rt_bind_exception() then binds it to a new dst with a dst_hold(). When the original fnhe is finally freed by the RCU callback, the corresponding dst reference remains permanently leaked [1][2][3][4].
Exploitation
Attackers require the ability to generate high-rate UDP traffic through a SIT/gretap tunnel configured in a network namespace, as demonstrated by Ido Schimmel's test using mausezahn [1]. No special privileges beyond local user access to create the described tunnel configuration are needed; the race is triggered by normal packet processing under load. The fnhe_remove_oldest() is invoked when the number of cached exceptions exceeds FNHE_RECLAIM_DEPTH + random, so sustained traffic that triggers new route entries is sufficient.
Impact
Successful exploitation results in a reference count leak on the network device associated with the tunnel interface. This is visible in kernel logs as a warning during device unregistration:
unregister_netdevice: waiting for sitX to become free. Usage count = N
The leaked reference prevents the tunnel interface from being fully cleaned up, potentially leading to resource exhaustion or a denial of service on the affected system.
Mitigation
The fix, applied in stable kernel branches, clears oldest->fnhe_daddr before calling fnhe_flush_routes(). Since rt_bind_exception() checks the fnhe_daddr field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed [1][2][3][4]. Administrators should apply the latest kernel updates or backport the relevant commits to resolve the issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8nvd
- git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0nvd
- git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1nvd
- git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282nvd
- git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7canvd
- git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40nvd
- git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0envd
- git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94nvd
News mentions
0No linked articles in our index yet.