Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Low

Linux kernel BPF percpu_hash map special-field memory leak

IdentifiersCVE-2025-68744CWE-401

CVE-2025-68744 is a Linux kernel BPF subsystem vulnerability affecting [lru_,]percpu_hash maps that support BPF_KPTR_REF and BPF_KPTR_PERCPU. The flaw is caused by missing calls to bpf_obj_free_fields() in pcpu_copy_value() during map update operations. As a result, after copy_map_value() or copy_map_value_long() copies a new value into a per-CPU hash map entry, special kptr-backed fields from the replaced value are not freed. Memory referenced by those BPF_KPTR_{REF,PERCPU} fields can therefore remain pinned until the entire map is destroyed. The upstream fix adds bpf_obj_free_fields() in pcpu_copy_value() after the value-copy operation to release those special fields correctly.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes a kernel memory/resource leak rather than direct code execution or privilege escalation. Repeated updates to affected BPF [lru_,]percpu_hash map entries can accumulate unreleased memory referenced by BPF_KPTR_REF or BPF_KPTR_PERCPU fields until the map is freed, potentially degrading system stability and causing denial of service through memory exhaustion. Available scoring indicates no confidentiality or integrity impact, but high availability impact.

Mitigation

If you can’t patch tonight, do this now.

No specific upstream workaround is provided in the supplied content. Until patched, reduce exposure by restricting who can create and update BPF maps, disabling or limiting unprivileged BPF where operationally feasible, minimizing use of affected [lru_,]percpu_hash maps with BPF_KPTR_REF or BPF_KPTR_PERCPU fields, and monitoring systems for abnormal kernel memory growth associated with BPF activity.

Remediation

Patch, then assume compromise.

Update to a Linux kernel version or vendor kernel package that includes the upstream fix for CVE-2025-68744. The fix consists of calling bpf_obj_free_fields() in pcpu_copy_value() after copy_map_value() or copy_map_value_long(). Vendor-provided fixed builds include, for example, SUSE kernel packages such as kernel-default >= 6.4.0-150700.53.28.1 for SLES 15 SP7-related products and kernel-default >= 6.12.0-160000.9.1 for SLES 16.0-related products, as documented by SUSE advisories.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

11 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-68744
NVD
nvd.nist.gov/vuln/detail/CVE-2025-68744
MITRE CWE · CWE-401
cwe.mitre.org
git.kernel.org
git.kernel.org/stable/c/3bf1378747e251571e0de15e7e0a6bf2919044e7
git.kernel.org
git.kernel.org/stable/c/4a03d69cece145e4fb527464be29c3806aa3221e
git.kernel.org
git.kernel.org/stable/c/6af6e49a76c9af7d42eb923703e7648cb2bf401a
git.kernel.org
git.kernel.org/stable/c/96a5cb7072cabbac5c66ac9318242c3bdceebb68
git.kernel.org
git.kernel.org/stable/c/994d6303ed0b84cbc795bb5becf7ed6de40d3f3c