CVE-2025-68768

CVSS v2.0

4.6

Medium

Vector

AV:L/AC:L/Au:S/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel related to network packet fragmentation and conntrack. Specifically, the issue involves pending SKBs (socket buffers) holding conntrack references during network namespace exit operations, potentially leading to deadlocks. The problem arises because the netns exit hook for nf defrag ipv6 runs after conntrack's hook. Flushing fragment queues during fqdir pre exit helps release these references before conntrack cleanup, mitigating the deadlock risk. The issue was observed in NIPA environments, often triggered by module loading (e.g., ipvlan) and related to the ip defrag.sh test suite.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-833

Related Identifiers

AZL-74360

BDU:2026-00738

CVE-2025-68768

ECHO-8DDD-704E-C005

OESA-2026-1566

OESA-2026-1567

OESA-2026-1570

OPENSUSE-SU-2026:20287-1

SUSE-SU-2026:0447-1

SUSE-SU-2026:0472-1

SUSE-SU-2026:0587-1

SUSE-SU-2026:20477-1

SUSE-SU-2026:20498-1

SUSE-SU-2026:20555-1

SUSE-SU-2026:20599-1

SUSE-SU-2026:20615-1

SUSE-SU-2026:20845-1

SUSE-SU-2026:20876-1

USN-8177-1

USN-8177-2

USN-8183-1

USN-8183-2

USN-8245-1

USN-8257-1

Affected Products

Linuxmint

Linux Kernel

Ubuntu

CVE-2025-68768

Weakness Enumeration

Related Identifiers

Affected Products

References · 1837