CVE-2025-68813 Affecting kernel-source-azure package, versions <6.4.0-150700.20.27.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-SLES157-KERNELSOURCEAZURE-15277458
- published13 Feb 2026
- disclosed12 Feb 2026
Introduced: 12 Feb 2026
CVE-2025-68813 (opens in a new tab)How to fix?
Upgrade SLES:15.7 kernel-source-azure to version 6.4.0-150700.20.27.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-source-azure package and not the kernel-source-azure package as distributed by SLES.
See How to fix? for SLES:15.7 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix ipv4 null-ptr-deref in route error path
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
- IPVS processes a packet in NAT mode with a misconfigured destination
- Route lookup fails in __ip_vs_get_out_rt() before establishing a route
- The error path calls dst_link_failure(skb) with skb->dev == NULL
- ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst()
- fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
References
- https://www.suse.com/security/cve/CVE-2025-68813.html
- https://bugzilla.suse.com/1256641
- https://bugzilla.suse.com/1256644
- https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8
- https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a
- https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90
- https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0
- https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447
- https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd
- https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903