What is CVE-2025-68363?

CVE-2025-68363 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.12 onward and patched in 6.1.160, 6.6.120, 6.12.63 and others. CVE-2025-68363 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-68363?

CVE-2025-68363 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-68363?

Yes, CVE-2025-68363 has been patched. Fixed versions include 6.1.160, 6.6.120, 6.12.63 and others. If you are running Linux kernel 5.12 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-68363 actively exploited?

CVE-2025-68363 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-68363

In the Linux kernel, the following vulnerability has been resolved: bpf: Check skb->transport_header is set in bpf_skb_check_mtu The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used: WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.

Package Linux Kernel

Published 2025-12-24

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 5.12 and later are affected. Fixed in 6.1.160, 6.6.120, 6.12.63, 6.17.13, 6.18.2, 6.19 and their respective stable series.

Affected from

≥ 5.12

Fixed in

✓ 6.1.160 6.1.x ✓ 6.6.120 6.6.x ✓ 6.12.63 6.12.x ✓ 6.17.13 6.17.x ✓ 6.18.2 6.18.x ✓ 6.19

References

The following references provide additional information about CVE-2025-68363 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7
Patch
Kernel patch commit
https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9
Patch
Kernel patch commit
https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5
Patch

6 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-68363?

CVE-2025-68363 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.12 onward and has been patched in 6.1.160, 6.6.120, 6.12.63 and others. CVE-2025-68363 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-68363?

Yes — CVE-2025-68363 has been patched. Fixed versions include 6.1.160, 6.6.120, 6.12.63 and others. If you are running Linux kernel 5.12 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-68363 actively exploited?

No — CVE-2025-68363 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.