VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 13, 2026· Updated Apr 15, 2026

CVE-2025-68787

CVE-2025-68787

Description

In the Linux kernel, the following vulnerability has been resolved:

netrom: Fix memory leak in nr_sendmsg()

syzbot reported a memory leak [1].

When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return.

[1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm "syz.0.17", pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(.... backtrace (crc 1456a3e4): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4983 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 sock_alloc_send_skb include/net/sock.h:1859 [inline] nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x293/0x2a0 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0x143/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in the Linux kernel's NET/ROM protocol (`nr_sendmsg()`) can be triggered by a `sock_alloc_send_skb()` failure, allowing local denial of service.

CVE-2025-68787 is a memory leak vulnerability in the Linux kernel's NET/ROM protocol implementation, specifically in the nr_sendmsg() function in net/netrom/af_netrom.c. When nr_output() calls sock_alloc_send_skb() and it returns NULL, the original skb allocated in nr_sendmsg() is not freed, leading to a memory leak [1]. The issue was reported by syzbot and is tracked in the kernel's bug tracking system.

Exploitation

The vulnerability can be triggered by a local user with the ability to send messages over a NET/ROM socket. By causing sock_alloc_send_skb() to fail (e.g., due to memory pressure or flag manipulation), an attacker can repeatedly leak skbs without freeing them, slowly exhausting kernel memory. No special privileges are required beyond the ability to open and write to a NET/ROM socket.

Impact

An attacker can cause a gradual depletion of kernel memory, potentially leading to a denial of service (system hang or crash) if the system runs out of memory. The leak is per nr_sendmsg() call, and with repeated exploitation the system memory can be exhausted, affecting all processes on the host.

Mitigation

The fix is included in Linux kernel stable tree commits [1][2][3]. The patch adds a kfree_skb(skb) before returning an error in nr_sendmsg() when nr_output() fails due to sock_alloc_send_skb() returning NULL. Users should update their kernel to a patched version (e.g., 6.12-stable or later). If patching is not possible, restricting local access to NET/ROM sockets may reduce risk, but no complete workaround is available.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.