Medium

Linux kernel BPF invalid GSO type emission via bpf_clone_redirect

IdentifiersCVE-2025-68725CWE-20

CVE-2025-68725 is a Linux kernel vulnerability in the BPF test infrastructure and networking path. A malformed skb could be emitted to the networking stack when a BPF program, triggered via the BPF test infrastructure, redirected a packet to the loopback device using bpf_clone_redirect(). The root cause was convert___skb_to_skb() populating gso_segs and gso_size without setting gso_type, resulting in inconsistent and invalid GSO metadata. This malformed state reached netif_skb_features() and gso_features_check(), where it triggered skb_warn_bad_offload(). The upstream fix rejects such malformed packets at bpf_clone_redirect() rather than allowing them to proceed further into the GSO handling path.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering of the flaw can cause skb_warn_bad_offload() warnings and disable GSO-related features for the malformed packet path, resulting in availability or performance degradation consistent with a denial-of-service style impact. The provided material does not indicate direct code execution or direct confidentiality/integrity compromise. Supporting advisory data rates the issue as local, low-complexity, low-privilege, with high availability impact.

Mitigation

If you can’t patch tonight, do this now.

Restrict or disable untrusted BPF program execution in affected environments, especially use of BPF test infrastructure paths capable of generating malformed packets. Avoid exposing workflows where BPF programs can invoke bpf_clone_redirect() on crafted packets toward loopback until patched. As an interim control, limit local low-privilege access to systems where untrusted users could exercise BPF functionality.

Remediation

Patch, then assume compromise.

Update to a Linux kernel release that includes the upstream fix for CVE-2025-68725, described as "bpf: Do not let BPF test infra emit invalid GSO types to stack," or apply the corresponding vendor backport. The fix rejects malformed packets at bpf_clone_redirect(). Where vendor guidance is relevant, deploy the fixed kernel packages provided by the distribution or platform maintainer.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

bugzilla suseNews

Jun 4, 2026

1255569 - (CVE-2025-68725) VUL-0: CVE-2025-68725: kernel: bpf: Do not let BPF test infra emit invalid GSO types to stack

A Linux kernel BPF-related flaw where BPF test infrastructure could emit malformed packets with invalid GSO metadata, triggering skb_warn_bad_offload() warnings in the networking stack. The fix rejects such packets at bpf_clone_redirect().

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-68725

NVD

nvd.nist.gov/vuln/detail/CVE-2025-68725

MITRE CWE · CWE-20

cwe.mitre.org

Patch

git.kernel.org/stable/c/04a899573fb87273a656f178b5f920c505f68875

Patch

git.kernel.org/stable/c/0f3a60869ca22024dfb9c6fce412b0c70cb4ea36

Patch

git.kernel.org/stable/c/768376ece7036ecb8604961793a1b72afe6345dd

Patch

git.kernel.org/stable/c/8670b53b8ee91f028f7240531064020b7413c461

Patch

git.kernel.org/stable/c/bb7902ed7d7f6d6a7c6c4dc25410d6127ce1085f

Patch

git.kernel.org/stable/c/e0ffb64a2d72c6705b4a4c9efef600409f7e98a0

Patch

git.kernel.org/stable/c/fbea4c63b5385588cb44ab21f91e55e33c719a54