What is CVE-2025-68368?

CVE-2025-68368 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.12 onward and patched in 6.18.2 and 6.19. CVE-2025-68368 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-68368?

CVE-2025-68368 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-68368?

Yes, CVE-2025-68368 has been patched. Fixed versions include 6.18.2 and 6.19. If you are running Linux kernel 6.12 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-68368 actively exploited?

CVE-2025-68368 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-68368

In the Linux kernel, the following vulnerability has been resolved: md: init bioset in mddev_init IO operations may be needed before md_run(), such as updating metadata after writing sysfs. Without bioset, this triggers a NULL pointer dereference as below: BUG: kernel NULL pointer dereference, address: 0000000000000020 Call Trace: md_update_sb+0x658/0xe00 new_level_store+0xc5/0x120 md_attr_store+0xc9/0x1e0 sysfs_kf_write+0x6f/0xa0 kernfs_fop_write_iter+0x141/0x2a0 vfs_write+0x1fc/0x5a0 ksys_write+0x79/0x180 __x64_sys_write+0x1d/0x30 x64_sys_call+0x2818/0x2880 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Reproducer ``` mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd] echo inactive > /sys/block/md0/md/array_state echo 10 > /sys/block/md0/md/new_level ``` mddev_init() can only be called once per mddev, no need to test if bioset has been initialized anymore.

Package Linux Kernel

Published 2025-12-24

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.12 and later are affected. Fixed in 6.18.2, 6.19 and their respective stable series.

Affected from

≥ 6.12

Fixed in

✓ 6.18.2 6.18.x ✓ 6.19

References

The following references provide additional information about CVE-2025-68368 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/381a3ce1c0ffed647c9b913e142b099c7e9d5afc
Patch
Kernel patch commit
https://git.kernel.org/stable/c/9d37fe37dfa0833a8768740f0575e0ffd793cb4a
Patch

Frequently asked questions

What is CVE-2025-68368?

CVE-2025-68368 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.12 onward and has been patched in 6.18.2 and 6.19. CVE-2025-68368 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-68368?

Yes — CVE-2025-68368 has been patched. Fixed versions include 6.18.2 and 6.19. If you are running Linux kernel 6.12 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-68368 actively exploited?

No — CVE-2025-68368 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.