CVE-2025-68340

Published: Dic 23, 2025 Last Modified: Feb 26, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,5

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

team: Move team device type change at the end of team_port_add

Attempting to add a port device that is already up will expectedly fail,
but not before modifying the team device header_ops.

In the case of the syzbot reproducer the gre0 device is
already in state UP when it attempts to add it as a
port device of team0, this fails but before that
header_ops->create of team0 is changed from eth_header to ipgre_header
in the call to team_dev_type_check_change.

Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense
as the private data of the device still holds a struct team.

Example sequence of iproute2 commands to reproduce the hang/BUG():
ip link add dev team0 type team
ip link add dev gre0 type gre
ip link set dev gre0 up
ip link set dev gre0 master team0
ip link set dev team0 up
ping -I team0 1.1.1.1

Move team_dev_type_check_change down where all other checks have passed
as it changes the dev type with no way to restore it in case
one of the checks that follow it fail.

Also make sure to preserve the origial mtu assignment:
- If port_dev is not the same type as dev, dev takes mtu from port_dev
- If port_dev is the same type as dev, port_dev takes mtu from dev

This is done by adding a conditional before the call to dev_set_mtu
to prevent it from assigning port_dev->mtu = dev->mtu and instead
letting team_dev_type_check_change assign dev->mtu = port_dev->mtu.
The conditional is needed because the patch moves the call to
team_dev_type_check_change past dev_set_mtu.

Testing:
- team device driver in-tree selftests
- Add/remove various devices as slaves of team device
- syzbot

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

team: Sposta il cambio del tipo di dispositivo team alla fine di team_port_add

Tentare di aggiungere un dispositivo di porta già attivo fallirà prevedibilmente,
ma non prima di aver modificato header_ops del dispositivo team.

Nel caso del riproduttore syzbot, il dispositivo gre0 si trova già in stato UP
quando si tenta di aggiungerlo come dispositivo di porta di team0, questo fallisce,
ma prima di ciò header_ops->create di team0 viene modificato da eth_header a ipgre_header
nella chiamata a team_dev_type_check_change.

Successivamente, quando si arriva in ipgre_header(), il struct ip_tunnel*
puntano a dati senza senso poiché i dati privati del dispositivo ancora contengono un struct team.

Esempio di sequenza di comandi iproute2 per riprodurre il blocco/BUG():
ip link add dev team0 type team
ip link add dev gre0 type gre
ip link set dev gre0 up
ip link set dev gre0 master team0
ip link set dev team0 up
ping -I team0 1.1.1.1

Spostare team_dev_type_check_change più in basso, dove sono passati tutti gli altri controlli,
poiché modifica il tipo di dev senza un modo per ripristinarlo nel caso in cui uno dei controlli successivi fallisca.

Assicurarsi inoltre di preservare l'assegnazione originale di mtu:
- Se port_dev non è dello stesso tipo di dev, dev prende l'mtu da port_dev
- Se port_dev è dello stesso tipo di dev, port_dev prende l'mtu da dev

Questo viene fatto aggiungendo una condizione prima della chiamata a dev_set_mtu
per impedire di assegnare port_dev->mtu = dev->mtu e invece
lasciare team_dev_type_check_change assegnare dev->mtu = port_dev->mtu.
La condizione è necessaria perché la patch sposta la chiamata a
team_dev_type_check_change oltre dev_set_mtu.

Test:
- Selftest del driver del dispositivo team incluso nel kernel
- Aggiunta/rimozione di vari dispositivi come slave del dispositivo team
- syzbot

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0002

Percentile

0,1th

Updated

EPSS Score Trend (Last 82 Days)

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version 6.18

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:6.18:rc5:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version 6.18

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:6.18:rc3:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.2 (inclusive)

To 6.6.123 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version 6.18

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:6.18:rc7:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 5.16 (inclusive)

To 6.1.162 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.7 (inclusive)

To 6.12.61 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version 6.18

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:6.18:rc2:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version 6.18

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:6.18:rc4:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.13 (inclusive)

To 6.17.11 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version 6.18

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:6.18:rc1:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 3.7 (inclusive)

To 5.15.199 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version 6.18

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:6.18:rc6:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e…

https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef

https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb…

https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e

https://git.kernel.org/stable/c/a74ab1b532ecc5f9106621a8f75…

https://git.kernel.org/stable/c/a74ab1b532ecc5f9106621a8f75b4c3d04466b35

https://git.kernel.org/stable/c/c8b15b0d2eec3b5c7f585e5a53d…

https://git.kernel.org/stable/c/c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283

https://git.kernel.org/stable/c/e26235840fd961e4ebe5568f11a…

https://git.kernel.org/stable/c/e26235840fd961e4ebe5568f11a2a078cf726663

https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64…

https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca

CVE-2025-68340

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 82 Days)

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Iscriviti alla newsletter