Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: add seqadj extension for natted connections

Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
due to need to re-write packet payload (IP, port) on the ftp control
connection. This can require changes to the TCP length and expected
seq / ack_seq.

The easiest way to reproduce this issue is with PASV mode.
Example ruleset:
table inet ftp_nat {
ct helper ftp_helper {
type "ftp" protocol tcp
l3proto inet
}

chain prerouting {
type filter hook prerouting priority 0; policy accept;
tcp dport 21 ct state new ct helper set "ftp_helper"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
tcp dport 21 dnat ip prefix to ip daddr map {
192.168.100.1 : 192.168.13.2/32 }
}

chain postrouting {
type nat hook postrouting priority 100 ; policy accept;
tcp sport 21 snat ip prefix to ip saddr map {
192.168.13.2 : 192.168.100.1/32 }
}
}

Note that the ftp helper gets assigned *after* the dnat setup.

The inverse (nat after helper assign) is handled by an existing
check in nf_nat_setup_info() and will not show the problem.

Topoloy:

+-------------------+ +----------------------------------+
| FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+-------------------+ +----------------------------------+
|
+-----------------------+
| Client: 192.168.100.2 |
+-----------------------+

ftp nat changes do not work as expected in this case:
Connected to 192.168.100.1.
[..]
ftp> epsv
EPSV/EPRT on IPv4 off.
ftp> ls
227 Entering passive mode (192,168,100,1,209,129).
421 Service not available, remote server has closed connection.

Kernel logs:
Missing nfct_seqadj_ext_add() setup call
WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
[..]
__nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
help+0x4d1/0x880 [nf_conntrack_ftp]
nf_confirm+0x122/0x2e0 [nf_conntrack]
nf_hook_slow+0x3c/0xb0
..

Fix this by adding the required extension when a conntrack helper is assigned
to a connection that has a nat binding.
Published: 2025-12-16
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: FTP session failures and possible denial of service due to incorrect TCP sequence adjustment on NATed connections
Action: Patch
AI Analysis

Impact

The vulnerability arises when a conntrack helper is assigned to a connection that also has a NAT binding, but the required sequence adjustment extension is not added. The missing adjustment causes the kernel to generate packets with incorrect TCP sequence or acknowledgment numbers, leading to failures when the FTP control connection requests passive mode. An attacker with network access between client and server could force repeated FTP failures or potentially hijack an FTP session, resulting in a denial‑of‑service condition for the affected service. The weakness can be categorized as a protocol handling defect that breaches TCP’s sequence‑number integrity, as reflected in the associated CWE identifiers.

Affected Systems

All Linux kernel installations are listed as affected, but the exact kernel version range is not provided in the data. The change was introduced in the netfilter conntrack subsystem and would impact any distribution using a kernel that has not yet incorporated the patch for the missing seqadj extension.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests exploitation is unlikely in the near term, and the vulnerability is not currently listed in CISA’s KEV catalog. The likely attack vector requires an attacker to be positioned on the network path between an FTP client and server, able to manipulate packets so that the conntrack helper is invoked on a NATed connection. No public exploit has been reported, so the risk is mainly operational. Existing network filters that enforce stricter stateful inspection or that disable the FTP helper could mitigate the pain points while awaiting an upstream fix.

Generated by OpenCVE AI on April 20, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Linux kernel that includes the seqadj extension for conntrack helpers on NATed connections
  • If an immediate kernel upgrade is not possible, modify the NAT rule ordering so that the FTP conntrack helper is assigned after NAT rules are processed, which avoids the missing adjustment issue
  • As a temporary workaround, disable the FTP conntrack helper for NATed FTP traffic to prevent sequence‑number mismatches until a kernel fix is deployed

Generated by OpenCVE AI on April 20, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
Ubuntu USN Ubuntu USN USN-8029-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8030-1 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8029-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8048-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8029-3 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8184-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8185-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8203-1 Linux kernel (Oracle) vulnerabilities
Ubuntu USN Ubuntu USN USN-8204-1 Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8185-2 Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-4 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8258-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8260-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8261-1 Linux kernel (Xilinx) vulnerabilities
History

Mon, 20 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-200

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Tue, 16 Dec 2025 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.
Title netfilter: nft_ct: add seqadj extension for natted connections
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:10.560Z

Reserved: 2025-12-16T13:41:40.255Z

Link: CVE-2025-68206

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-12-16T14:15:53.487

Modified: 2026-04-18T09:16:12.780

Link: CVE-2025-68206

cve-icon Redhat

Severity : Low

Publid Date: 2025-12-16T00:00:00Z

Links: CVE-2025-68206 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses