{"id":"CVE-2025-68813","summary":"ipvs: fix ipv4 null-ptr-deref in route error path","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb-\u003edev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb-\u003edev. An attempt was made to fix the NULL skb-\u003edev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb-\u003edev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb-\u003edev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb-\u003edev == NULL\n4. ipv4_link_failure() → ipv4_send_dest_unreach() →\n   __ip_options_compile() → fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb-\u003edev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb-\u003edev from skb_dst(skb)-\u003edev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n  \u003cTASK\u003e\n  spec_dst_fill net/ipv4/ip_options.c:232\n  spec_dst_fill net/ipv4/ip_options.c:229\n  __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n  ipv4_send_dest_unreach net/ipv4/route.c:1252\n  ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n  dst_link_failure include/net/dst.h:437\n  __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n  ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764","modified":"2026-04-02T17:29:27.817371Z","published":"2026-01-13T15:29:18.483Z","related":["MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0350-1","SUSE-SU-2026:0369-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0447-1","SUSE-SU-2026:0471-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0474-1","SUSE-SU-2026:0496-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:0617-1","SUSE-SU-2026:0939-1","SUSE-SU-2026:0940-1","SUSE-SU-2026:0941-1","SUSE-SU-2026:0943-1","SUSE-SU-2026:0944-1","SUSE-SU-2026:0945-1","SUSE-SU-2026:0946-1","SUSE-SU-2026:0951-1","SUSE-SU-2026:0953-1","SUSE-SU-2026:0954-1","SUSE-SU-2026:0958-1","SUSE-SU-2026:0964-1","SUSE-SU-2026:0967-1","SUSE-SU-2026:0970-1","SUSE-SU-2026:0983-1","SUSE-SU-2026:0985-1","SUSE-SU-2026:0992-1","SUSE-SU-2026:0997-1","SUSE-SU-2026:1000-1","SUSE-SU-2026:1002-1","SUSE-SU-2026:1039-1","SUSE-SU-2026:1044-1","SUSE-SU-2026:1046-1","SUSE-SU-2026:1048-1","SUSE-SU-2026:1049-1","SUSE-SU-2026:1059-1","SUSE-SU-2026:1073-1","SUSE-SU-2026:1083-1","SUSE-SU-2026:1088-1","SUSE-SU-2026:1089-1","SUSE-SU-2026:1096-1","SUSE-SU-2026:1099-1","SUSE-SU-2026:1100-1","SUSE-SU-2026:1101-1","SUSE-SU-2026:1102-1","SUSE-SU-2026:1125-1","SUSE-SU-2026:1132-1","SUSE-SU-2026:1136-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20828-1","SUSE-SU-2026:20829-1","SUSE-SU-2026:20830-1","SUSE-SU-2026:20831-1","SUSE-SU-2026:20832-1","SUSE-SU-2026:20836-1","SUSE-SU-2026:20837-1","SUSE-SU-2026:20840-1","SUSE-SU-2026:20841-1","SUSE-SU-2026:20842-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20847-1","SUSE-SU-2026:20848-1","SUSE-SU-2026:20849-1","SUSE-SU-2026:20850-1","SUSE-SU-2026:20851-1","SUSE-SU-2026:20852-1","SUSE-SU-2026:20853-1","SUSE-SU-2026:20854-1","SUSE-SU-2026:20855-1","SUSE-SU-2026:20856-1","SUSE-SU-2026:20857-1","SUSE-SU-2026:20858-1","SUSE-SU-2026:20859-1","SUSE-SU-2026:20860-1","SUSE-SU-2026:20861-1","SUSE-SU-2026:20862-1","SUSE-SU-2026:20863-1","SUSE-SU-2026:20864-1","SUSE-SU-2026:20865-1","SUSE-SU-2026:20866-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:20880-1","SUSE-SU-2026:20881-1","SUSE-SU-2026:20882-1","SUSE-SU-2026:20883-1","SUSE-SU-2026:20884-1","SUSE-SU-2026:20885-1","SUSE-SU-2026:20886-1","SUSE-SU-2026:20887-1","SUSE-SU-2026:20888-1","SUSE-SU-2026:20889-1","SUSE-SU-2026:20891-1","SUSE-SU-2026:20892-1","SUSE-SU-2026:20893-1","SUSE-SU-2026:20894-1","SUSE-SU-2026:20895-1","SUSE-SU-2026:20896-1","SUSE-SU-2026:20897-1","SUSE-SU-2026:20898-1","SUSE-SU-2026:20899-1","SUSE-SU-2026:20900-1","SUSE-SU-2026:20943-1","SUSE-SU-2026:20944-1","SUSE-SU-2026:20945-1","SUSE-SU-2026:20946-1","SUSE-SU-2026:20947-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68813.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68813.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68813"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ed0de45a1008991fdaa27a0152befcb74d126a8b"},{"fixed":"dd72a93c80408f06327dd2d956eb1a656d0b5903"},{"fixed":"312d7cd88882fc6cadcc08b02287497aaaf94bcd"},{"fixed":"cdeff10851c37a002d87a035818ebd60fdb74447"},{"fixed":"4729ff0581fbb7ad098b6153b76b6f5aac94618a"},{"fixed":"25ab24df31f7af843c96a38e0781b9165216e1a8"},{"fixed":"689a627d14788ad772e0fa24c2e57a23dbc7ce90"},{"fixed":"ad891bb3d079a46a821bf2b8867854645191bab0"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"6c2fa855d8178699706b1192db2f1f8102b0ba1e"},{"last_affected":"fbf569d2beee2a4a7a0bc8b619c26101d1211a88"},{"last_affected":"ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38"},{"last_affected":"3d988fcddbe7b8673a231958bd2fba61b5a7ced9"},{"last_affected":"8a430e56a6485267a1b2d3747209d26c54d1a34b"},{"last_affected":"6bd1ee0a993fc9574ae43c1994c54a60cb23a380"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68813.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.1.0"},{"fixed":"5.10.248"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68813.json"}}],"schema_version":"1.7.5"}