PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-68768 Linux CVE debrief

A vulnerability in the Linux kernel has been resolved. The issue involves a deadlock on pernet_ops_rwsem caused by conntrack looping forever in nf_conntrack_cleanup_net_list(). This happens because nf_defrag_ipv6 loads before conntrack, causing its netns exit hooks to run after conntrack's. To fix this, all fragment queue SKBs are flushed during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-13
Original CVE updated
2026-06-09
Advisory published
2026-01-13
Advisory updated
2026-06-09

Who should care

Linux kernel users and administrators should be aware of this vulnerability and take necessary actions to update their kernels.

Technical summary

The Linux kernel vulnerability (CVE-2025-68768) is caused by a deadlock on pernet_ops_rwsem. This deadlock occurs due to conntrack looping in nf_conntrack_cleanup_net_list(). The problem arises from nf_defrag_ipv6 loading before conntrack, causing its netns exit hooks to run after conntrack's. The fix involves flushing all fragment queue SKBs during fqdir_pre_exit() and in timer expiry handlers when fqdir->dead is set.

Defensive priority

High

Recommended defensive actions

  • Update the Linux kernel to the latest version.
  • Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references.
  • Flush the queues in timer expiry handlers when they discover fqdir->dead is set.

Evidence notes

The vulnerability was discovered in NIPA, and the fix was provided by flushing pending skbs in fqdir_pre_exit().

Official resources

CVE-2025-68768 was published on 2026-01-13T16:15:56.247Z and modified on 2026-06-09T11:16:46.910Z.