CVE-2025-68785
Description
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: fix middle attribute validation in push_nsh() action
The push_nsh() action structure looks like this:
OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing checks if the attribute in the middle is OK. We don't even check that this attribute is the OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data() calls - first time directly while calling validate_push_nsh() and the second time as part of the nla_for_each_nested() macro, which isn't safe, potentially causing invalid memory access if the size of this attribute is incorrect. The failure may not be noticed during validation due to larger netlink buffer, but cause trouble later during action execution where the buffer is allocated exactly to the size:
BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] Read of size 184 at addr ffff88816459a634 by task a.out/22624
CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary) Call Trace:
dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x2c/0x390 kasan_report+0xdd/0x110 kasan_check_range+0x35/0x1b0 __asan_memcpy+0x20/0x60 nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] push_nsh+0x82/0x120 [openvswitch] do_execute_actions+0x1405/0x2840 [openvswitch] ovs_execute_actions+0xd5/0x3b0 [openvswitch] ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch] genl_family_rcv_msg_doit+0x1d6/0x2b0 genl_family_rcv_msg+0x336/0x580 genl_rcv_msg+0x9f/0x130 netlink_rcv_skb+0x11f/0x370 genl_rcv+0x24/0x40 netlink_unicast+0x73e/0xaa0 netlink_sendmsg+0x744/0xbf0 __sys_sendto+0x3d6/0x450 do_syscall_64+0x79/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Let's add some checks that the attribute is properly sized and it's the only one attribute inside the action. Technically, there is no real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're pushing an NSH header already, it just creates extra nesting, but that's how uAPI works today. So, keeping as it is.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Linux kernel's openvswitch module lacks validation of the middle Netlink attribute in push_nsh() actions, enabling a slab-out-of-bounds read leading to a crash or potential information leak.
Vulnerability
Overview
CVE-2025-68785 is a flaw in the Linux kernel's Open vSwitch (openvswitch) component, specifically in the validation of the validation of Netlink attributes for the push_nsh() action.() action. The action structure is nested: OVS_ACTION_ATTR_PUSH_NSH wraps OVS_KEY_ATTR_NSH, which in turn wraps OVS_NSH_KEY_ATTR_BASE or similar inner attributes. While the outermost and innermost attributes are validated by nested loops in __ovs_nla_copy_actions() and nsh_key_put_key_put_from_nlattr() respectively, the middle attribute (OVS_KEY_ATTR_NSH) is never checked. The code performs a double nla_data()` call without ensuring the middle attribute's size or type, which can cause invalid memory access when the buffer is later allocated exactly to the parsed size [1][2][3].
Exploitation
An attacker with the ability to send crafted Netlink messages to the kernel's generic Netlink family for openvswitch can trigger this vulnerability. No authentication is required beyond the ability to interact with the ovs Netlink interface, which is typically available to processes with CAP_NET_ADMIN or in certain container setups to unprivileged users if the datapath is exposed. The exploit relies on constructing a malformed OVS_ACTION_ATTR_PUSH_NSH attribute where the middle Netlink attribute has an inconsistent or zero length. The validation phase may not catch the error due to a larger Netlink buffer, but later execution with an exactly-sized buffer triggers a slab-out-of-bounds read, as evidenced by the KASAN report [1][2][3].
Impact
Successful exploitation leads to a kernel crash due to the out-of-bounds read, causing a denial of service. In some configurations, it could also result in unauthorized disclosure of kernel memory if the out-of-bounds data is returned to user space (though the primary reported symptom is a crash). The vulnerability does not provide code execution on its own, but the out-of-bounds access may be leveraged for information disclosure [1].
Mitigation
The fix has been merged into the Linux kernel stable branches. Users should apply the patches from the referenced commits: c999153bfb2d, 3bc2efff20a3, and 1b569db9c2f2 [1][2][3]. As of publication, no workaround is available aside from restricting access to the openvswitch Netlink interface or unloading the openvswitch module if it is not in use.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702nvd
- git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294nvd
- git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9nvd
- git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62cednvd
- git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36envd
- git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595fnvd
- git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7befnvd
News mentions
0No linked articles in our index yet.