CVE-2025-68206

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains an issue within the netfilter module related to Network Address Translation (NAT) and connection tracking (conntrack). Specifically, the problem arises when handling FTP traffic utilizing PASV/EPSV modes, where sequence adjustments are necessary due to payload rewriting (IP and port) on the FTP control connection. This can lead to incorrect TCP length and sequence/acknowledgment sequence calculations. The issue manifests when the FTP helper is assigned after the Dynamic NAT (dnat) setup, resulting in a missing call to nfct seqadj ext add(). This can cause connection failures, as demonstrated by a "Service not available" error when attempting to list files via FTP in passive mode. The problem is observed in kernel logs with a warning message indicating the missing nfct seqadj ext add() setup call. The issue impacts systems using the ftp helper with NAT rules involving port 21.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.