CVE-2025-68363
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Check skb->transport_header is set in bpf_skb_check_mtu
The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used:
bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS)
The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used:
WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb
For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").
This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing check for skb->transport_header in the Linux kernel's bpf_skb_check_mtu_check helper can trigger a WARN_ON_ONCE when BPF_MTU_CHK_SEGS is used, potentially causing a denial of service.
Vulnerability
Analysis
The vulnerability resides in the Linux kernel's BPF subsystem, specifically in the bpf_skb_check_mtu helper function bpf_skb_check_mtu_check_mtu. When the BPF_MTU_CHK_SEGS flag is used, the helper relies on skb->transport_header to validate the MTU. However, the transport header is not always set, leading to a WARN_ON_ONCE splat when CONFIG_DEBUG_NET is enabled and skb->gso_size is set, particularly during bpf_prog_test_run operations [1].
Exploitation
The issue can be triggered by a BPF program that calls bpf_skb_check_mtu with the BPF_MTU_CHK_SEGS flag on a socket buffer where the transport header has not been initialized. While the warning is limited to test environments with CONFIG_DEBUG_NET enabled, the underlying condition could be reached in production if a crafted packet or BPF program causes the helper to access an uninitialized transport header. The attack surface. The fix adds a check using skb_transport_header_was_set() before using the transport header, preventing the warning and potential undefined behavior [2].
Impact
An attacker with the ability to load and execute BPF programs (requiring CAP_BPF or root privileges) could trigger a kernel warning, potentially leading to a denial of service if the system is configured to panic on warnings. The impact is limited to systems with CONFIG_DEBUG_NET enabled, but the fix ensures robustness even without that configuration.
Mitigation
The vulnerability is patched in the Linux kernel stable tree. The commit [1] and [2] address the issue by adding a check for skb_transport_header_was_set() before accessing the transport header. Users should apply the latest kernel updates to mitigate this issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7nvd
- git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9nvd
- git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5nvd
- git.kernel.org/stable/c/97b876fa88322625228792cf7a5fd77531815a80nvd
- git.kernel.org/stable/c/b3171a5e4622e915e94599a55f4964078bdec27envd
- git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725nvd
News mentions
0No linked articles in our index yet.