VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 23, 2025· Updated Apr 15, 2026

CVE-2025-68341

CVE-2025-68341

Description

In the Linux kernel, the following vulnerability has been resolved:

veth: reduce XDP no_direct return section to fix race

As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing old or uninitialized descriptors") for veth there is a chance after napi_complete_done() that another CPU can manage start another NAPI instance running veth_pool(). For NAPI this is correctly handled as the napi_schedule_prep() check will prevent multiple instances from getting scheduled, but for the remaining code in veth_pool() this can run concurrent with the newly started NAPI instance.

The problem/race is that xdp_clear_return_frame_no_direct() isn't designed to be nested.

Prior to commit 401cb7dae813 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") the temporary BPF net context bpf_redirect_info was stored per CPU, where this wasn't an issue. Since this commit the BPF context is stored in 'current' task_struct. When running veth in threaded-NAPI mode, then the kthread becomes the storage area. Now a race exists between two concurrent veth_pool() function calls one exiting NAPI and one running new NAPI, both using the same BPF net context.

Race is when another CPU gets within the xdp_set_return_frame_no_direct() section before exiting veth_pool() calls the clear-function xdp_clear_return_frame_no_direct().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in the Linux kernel's veth driver allows concurrent XDP redirect context access, potentially leading to use of uninitialized descriptors.

Vulnerability

In the Linux kernel's veth driver, a race condition exists in the XDP redirect path. After napi_complete_done(), another CPU may start a new NAPI instance running veth_pool() concurrently with the exiting instance. The xdp_clear_return_frame_no_direct() function is not designed for nested calls, leading to a race condition when the BPF redirect context (bpf_redirect_info) is stored in the task_struct (since commit 401cb7dae813) rather than per-CPU [1][2].

Exploitation

The race occurs when two veth_pool() calls run concurrently—one exiting NAPI and one starting new NAPI—both using the same BPF net context stored in the current task. In threaded-NAPI mode, the kthread becomes the storage area, making the race possible. An attacker with local access and the ability to trigger XDP programs on veth interfaces could potentially exploit this to cause a use-after-free or expose uninitialized descriptors [3].

Impact

Successful exploitation could allow an attacker to read sensitive kernel memory or cause a denial of service (system crash). The vulnerability is similar to the one described in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing old or uninitialized descriptors").

Mitigation

The fix reduces the XDP no_direct return section to eliminate the race. Patches are available in the stable kernel tree (commits a14602fcae17, c1ceabcb347d, d0bd018ad72a). Users should update to the latest stable kernel version that includes these fixes.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.