Low

Linux kernel BPF bpf_skb_check_mtu transport_header validation flaw

IdentifiersCVE-2025-68363CWE-476

CVE-2025-68363 is a flaw in the Linux kernel BPF subsystem, in net/core/filter.c, where the bpf_skb_check_mtu helper may use skb->transport_header when invoked with the BPF_MTU_CHK_SEGS flag without first ensuring that the transport header has been set. The issue was introduced in Linux kernel 5.12 by commit 34b2021cc61642d61c3cf943d9e71925b827941b. Under the documented conditions, skb->transport_header can be unset, and the helper's use of it can trigger a WARN_ON_ONCE condition via skb_gso_validate_network_len. The reported reproducer involves CONFIG_DEBUG_NET enabled, skb->gso_size set, and use of bpf_prog_test_run. The upstream fix adds a skb_transport_header_was_set() check immediately before using skb->transport_header, preserving compatibility with existing BPF programs.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The available evidence indicates primarily an availability and stability impact rather than confidentiality or integrity impact. Successful triggering can cause a kernel WARN_ON_ONCE condition and associated abnormal behavior in the affected code path. SUSE rates the issue CVSS v3.1 5.5 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local exploitation with low privileges and high availability impact. The content does not provide evidence of arbitrary code execution or privilege escalation from this flaw alone.

Mitigation

If you can’t patch tonight, do this now.

Until a fixed kernel is deployed, avoid invoking bpf_skb_check_mtu with the BPF_MTU_CHK_SEGS flag in contexts where skb->transport_header may be unset, especially bpf_prog_test_run-based test paths. Reducing exposure to the documented trigger conditions, such as avoiding CONFIG_DEBUG_NET in affected test environments, may reduce observability of the warning, but this is not a substitute for patching.

Remediation

Patch, then assume compromise.

Update to a fixed Linux kernel release that includes the upstream patch. The content identifies upstream fixes in 6.12.63, 6.17.13, 6.18.2, and 6.19-rc1, with corresponding fix commits 30ce906557a21adef4cba5901c8e995dc18263a9, 1c30e4afc5507f0069cc09bd561e510e4d97fbf7, 942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5, and d946f3c98328171fa50ddb908593cf833587f725. Vendor-supported backports are also available in multiple SUSE kernel package updates. The Linux kernel CVE team recommends updating to the latest stable kernel rather than cherry-picking individual commits.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

bugzilla suseNews

Jun 4, 2026

1255552 - (CVE-2025-68363) VUL-0: CVE-2025-68363: kernel: bpf: Check skb->transport_header is set in bpf_skb_check_mtu

A Linux kernel BPF vulnerability in bpf_skb_check_mtu where skb->transport_header may be unset when the BPF_MTU_CHK_SEGS flag is used, leading to a WARN_ON_ONCE condition and requiring a check with skb_transport_header_was_set().

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-68363

NVD

nvd.nist.gov/vuln/detail/CVE-2025-68363

MITRE CWE · CWE-476

cwe.mitre.org

git.kernel.org

git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7

git.kernel.org

git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9

git.kernel.org

git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5

git.kernel.org

git.kernel.org/stable/c/97b876fa88322625228792cf7a5fd77531815a80

git.kernel.org

git.kernel.org/stable/c/b3171a5e4622e915e94599a55f4964078bdec27e

git.kernel.org

git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725