CVE-2025-68206
Lifecycle Timeline
2Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.
Analysis
Linux kernel netfilter FTP NAT helper fails to properly initialize sequence adjustment extensions when connection tracking helper assignment occurs after NAT rule processing, causing FTP PASV/EPSV mode transfers to fail with connection drops and kernel warnings. This affects systems running vulnerable kernel versions that perform NAT operations on FTP control connections (port 21) combined with FTP helper assignment in reverse rule order; the low EPSS score (0.03%, percentile 9%) and lack of active exploitation indicators suggest limited practical exploitability, though the defect prevents legitimate FTP functionality in specific network topologies.
Technical Context
The vulnerability resides in the Linux kernel netfilter subsystem, specifically the connection tracking (conntrack) and NAT modules that process FTP protocol traffic. When an FTP helper is assigned to a conntrack connection after NAT rules have already been applied, the code fails to invoke nfct_seqadj_ext_add() to initialize the sequence adjustment extension required for TCP payload rewriting. FTP PASV/EPSV modes require the NAT engine to modify packet payloads (IP addresses and port numbers) on the control connection, which necessitates recalculation of TCP sequence numbers and segment lengths. Without the seqadj extension, the __nf_nat_mangle_tcp_packet() function generates kernel warnings and the connection fails. The root cause is a missing extension setup call in the helper assignment path when a prior NAT binding exists, whereas the inverse operation path (NAT after helper) contains an existing safety check in nf_nat_setup_info(). This is a logic error in connection state management rather than memory corruption or access control bypass.
Affected Products
Linux kernel versions prior to the fixes referenced in the commit hashes are affected, specifically systems with netfilter FTP helper and NAT modules compiled or loaded. The vulnerability is confirmed in the kernel's net/netfilter/nft_ct.c and related connection tracking code. Affected versions span stable branches as indicated by multiple stable kernel commit references (2b52d89cbbb0, 4ab2cd906e4e, 4de80f0dc386, 90918e3b6404, b477ef7fa612). Distributions shipping unpatched kernels with netfilter enabled (typical for server and container deployments) inherit this vulnerability. Specific CPE data is not provided in available intelligence, but affected systems can be identified by kernel version and netfilter module configuration. Users should consult their distribution vendor (Red Hat, Ubuntu, Debian, SUSE, etc.) for backported patches to stable kernel versions.
Remediation
Upgrade the Linux kernel to a version containing the upstream fix; refer to the commit references in the Linux Kernel Stable tree (2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6, 4ab2cd906e4e1a19ddbda6eb532851b0e9cda110, 4de80f0dc3868408dd7fe9817e507123c9dd8bb0, 90918e3b6404c2a37837b8f11692471b4c512de2, b477ef7fa612fa45b6b3134d90d1eeb09396500a) for the specific fix patches. Coordinate with your Linux distribution vendor to determine the first patched stable kernel version for your branch. As an interim workaround, reorder netfilter rules to assign the FTP helper before applying NAT rules (inverse of the problematic sequence); this activates the existing safety check in nf_nat_setup_info() and avoids the uninitialized seqadj extension condition. Alternatively, disable FTP helper assignment if FTP passive mode is not required, or isolate FTP traffic to environments without concurrent NAT operations. Monitor kernel logs for the specific warning at net/netfilter/nf_conntrack_seqadj.c:41 to confirm exposure.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today