Skip to main content

Linux Kernel CVE-2025-68206

2025-12-16 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Lifecycle Timeline

2
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
CVE Published
Dec 16, 2025 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: add seqadj extension for natted connections

Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq.

The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet }

chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } }

chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } }

Note that the ftp helper gets assigned *after* the dnat setup.

The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem.

Topoloy:

+-------------------+ +----------------------------------+

| FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+

| +-----------------------+

| Client: 192.168.100.2 | +-----------------------+

ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection.

Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 ..

Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.

AnalysisAI

Linux kernel netfilter FTP NAT helper fails to properly initialize sequence adjustment extensions when connection tracking helper assignment occurs after NAT rule processing, causing FTP PASV/EPSV mode transfers to fail with connection drops and kernel warnings. This affects systems running vulnerable kernel versions that perform NAT operations on FTP control connections (port 21) combined with FTP helper assignment in reverse rule order; the low EPSS score (0.03%, percentile 9%) and lack of active exploitation indicators suggest limited practical exploitability, though the defect prevents legitimate FTP functionality in specific network topologies.

Technical ContextAI

The vulnerability resides in the Linux kernel netfilter subsystem, specifically the connection tracking (conntrack) and NAT modules that process FTP protocol traffic. When an FTP helper is assigned to a conntrack connection after NAT rules have already been applied, the code fails to invoke nfct_seqadj_ext_add() to initialize the sequence adjustment extension required for TCP payload rewriting. FTP PASV/EPSV modes require the NAT engine to modify packet payloads (IP addresses and port numbers) on the control connection, which necessitates recalculation of TCP sequence numbers and segment lengths. Without the seqadj extension, the __nf_nat_mangle_tcp_packet() function generates kernel warnings and the connection fails. The root cause is a missing extension setup call in the helper assignment path when a prior NAT binding exists, whereas the inverse operation path (NAT after helper) contains an existing safety check in nf_nat_setup_info(). This is a logic error in connection state management rather than memory corruption or access control bypass.

Affected ProductsAI

Linux kernel versions prior to the fixes referenced in the commit hashes are affected, specifically systems with netfilter FTP helper and NAT modules compiled or loaded. The vulnerability is confirmed in the kernel's net/netfilter/nft_ct.c and related connection tracking code. Affected versions span stable branches as indicated by multiple stable kernel commit references (2b52d89cbbb0, 4ab2cd906e4e, 4de80f0dc386, 90918e3b6404, b477ef7fa612). Distributions shipping unpatched kernels with netfilter enabled (typical for server and container deployments) inherit this vulnerability. Specific CPE data is not provided in available intelligence, but affected systems can be identified by kernel version and netfilter module configuration. Users should consult their distribution vendor (Red Hat, Ubuntu, Debian, SUSE, etc.) for backported patches to stable kernel versions.

RemediationAI

Upgrade the Linux kernel to a version containing the upstream fix; refer to the commit references in the Linux Kernel Stable tree (2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6, 4ab2cd906e4e1a19ddbda6eb532851b0e9cda110, 4de80f0dc3868408dd7fe9817e507123c9dd8bb0, 90918e3b6404c2a37837b8f11692471b4c512de2, b477ef7fa612fa45b6b3134d90d1eeb09396500a) for the specific fix patches. Coordinate with your Linux distribution vendor to determine the first patched stable kernel version for your branch. As an interim workaround, reorder netfilter rules to assign the FTP helper before applying NAT rules (inverse of the problematic sequence); this activates the existing safety check in nf_nat_setup_info() and avoids the uninitialized seqadj extension condition. Alternatively, disable FTP helper assignment if FTP passive mode is not required, or isolate FTP traffic to environments without concurrent NAT operations. Monitor kernel logs for the specific warning at net/netfilter/nf_conntrack_seqadj.c:41 to confirm exposure.

CVE-2022-0847 HIGH POC
7.8 Mar 10

Linux kernel contains a flaw known as 'Dirty Pipe' where improper pipe buffer flag initialization allows unprivileged lo

CVE-2015-1328 HIGH POC
7.8 Nov 28

The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does no

CVE-2017-7308 HIGH POC
7.8 Mar 29

The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate cer

CVE-2017-16995 HIGH POC
7.8 Dec 27

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial

CVE-2017-1000112 HIGH POC
7.0 Oct 05

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. Rated high severity (CVSS 7.0). Public ex

CVE-2015-8660 MEDIUM POC
6.7 Dec 28

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr op

CVE-2012-0056 MEDIUM POC
6.9 Jan 27

The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when

CVE-2014-0038 MEDIUM POC
6.9 Feb 06

The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allo

CVE-2016-8655 HIGH POC
7.8 Dec 08

Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cau

CVE-2016-0728 HIGH POC
7.8 Feb 08

The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object ref

CVE-2017-0561 CRITICAL POC
9.8 Apr 07

A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary

CVE-2022-2588 MEDIUM POC
5.3 Jan 08

It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the h

Share

CVE-2025-68206 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy