CVE-2025-68813
Description
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix ipv4 null-ptr-deref in route error path
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace:
spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in the Linux kernel's IPVS subsystem when calling dst_link_failure() with an unset skb->dev, leading to a crash.
Vulnerability
CVE-2025-68813 is a NULL pointer dereference vulnerability in the Linux kernel's IPVS (IP Virtual Server) subsystem, specifically in the IPv4 code path of __ip_vs_get_out_rt(). The root cause is that dst_link_failure() is called without ensuring skb->dev is set, which leads to a crash in fib_compute_spec_dst() when the kernel attempts to send an ICMP destination unreachable message. This issue emerged after commit ed0de45a1008 introduced a call to __ip_options_compile() from ipv4_link_failure(), which eventually dereferences skb->dev.
Exploitation
An attacker can trigger this vulnerability by sending packets to a misconfigured IPVS destination in NAT mode, causing a route lookup failure. When the error path calls dst_link_failure(skb) with skb->dev == NULL, the kernel panics. The attack requires network access to a system running a vulnerable IPVS configuration, but no authentication is needed. The crash is reliably reproducible, as demonstrated by the syzbot reproducer.
Impact
Successful exploitation results in a kernel NULL pointer dereference, leading to a system crash (denial of service). The crash occurs in fib_compute_spec_dst() when it dereferences skb->dev is accessed, as shown in the KASAN call trace. This can be used to disrupt services relying on the affected system.
Mitigation
The fix applies the same approach used for IPv6 in commit 326bf17ea5d4: set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). Patches have been applied to the stable kernel trees, as referenced in commits cdeff10851c3, 4729ff0581fb, and dd72a93c8040 [1][2][3]. Users should update their kernels to include these fixes.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8nvd
- git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcdnvd
- git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618anvd
- git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90nvd
- git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0nvd
- git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447nvd
- git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903nvd
News mentions
0No linked articles in our index yet.