netfilter: nft_ct: add seqadj extension for natted connections
Summary
| CVE | CVE-2025-68206 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-12-16 14:15:53 UTC |
| Updated | 2026-04-18 09:16:12 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding. |
Risk And Classification
EPSS: 0.000680000 probability, percentile 0.210040000 (date 2026-04-21)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 83273af0b60c093ba0085c205864d8542e1b1653 git | Not specified |
| CNA | Linux | Linux | affected 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 b19492c25eff04852e0cb58f9bb8238b6695ed2d git | Not specified |
| CNA | Linux | Linux | affected 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 4de80f0dc3868408dd7fe9817e507123c9dd8bb0 git | Not specified |
| CNA | Linux | Linux | affected 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 b477ef7fa612fa45b6b3134d90d1eeb09396500a git | Not specified |
| CNA | Linux | Linux | affected 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 4ab2cd906e4e1a19ddbda6eb532851b0e9cda110 git | Not specified |
| CNA | Linux | Linux | affected 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6 git | Not specified |
| CNA | Linux | Linux | affected 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 90918e3b6404c2a37837b8f11692471b4c512de2 git | Not specified |
| CNA | Linux | Linux | affected 4.12 | Not specified |
| CNA | Linux | Linux | unaffected 4.12 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.253 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.203 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.167 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.130 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.64 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.17.9 6.17.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/b19492c25eff04852e0cb58f9bb8238b6695ed2d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/4ab2cd906e4e1a19ddbda6eb532851b0e9cda110 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/b477ef7fa612fa45b6b3134d90d1eeb09396500a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/83273af0b60c093ba0085c205864d8542e1b1653 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/4de80f0dc3868408dd7fe9817e507123c9dd8bb0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.