-
CVE-2025-38721
- EPSS 0.05%
- Veröffentlicht 04.09.2025 15:33:14
- Zuletzt bearbeitet 05.09.2025 17:47:24
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- Teams Watchlist Login
- Unerledigt Login
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: fix refcount leak on table dump
There is a reference count leak in ctnetlink_dump_table():
if (res < 0) {
nf_conntrack_get(&ct->ct_general); // HERE
cb->args[1] = (unsigned long)ct;
...
While its very unlikely, its possible that ct == last.
If this happens, then the refcount of ct was already incremented.
This 2nd increment is never undone.
This prevents the conntrack object from being released, which in turn
keeps prevents cnet->count from dropping back to 0.
This will then block the netns dismantle (or conntrack rmmod) as
nf_conntrack_cleanup_net_list() will wait forever.
This can be reproduced by running conntrack_resize.sh selftest in a loop.
It takes ~20 minutes for me on a preemptible kernel on average before
I see a runaway kworker spinning in nf_conntrack_cleanup_net_list.
One fix would to change this to:
if (res < 0) {
if (ct != last)
nf_conntrack_get(&ct->ct_general);
But this reference counting isn't needed in the first place.
We can just store a cookie value instead.
A followup patch will do the same for ctnetlink_exp_dump_table,
it looks to me as if this has the same problem and like
ctnetlink_dump_table, we only need a 'skip hint', not the actual
object so we can apply the same cookie strategy there as well.Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version <
586892e341fbf698e7cbaca293e1353957db725a
Version
d205dc40798d97d63ad348bfaf7394f445d152d4
Status
affected
Version <
962518c6ca9f9a13df099cafa429f72f68ad61f0
Version
d205dc40798d97d63ad348bfaf7394f445d152d4
Status
affected
Version <
19b909a4b1452fb97e477d2f08b97f8d04095619
Version
d205dc40798d97d63ad348bfaf7394f445d152d4
Status
affected
Version <
41462f4cfc583513833f87f9ee55d12da651a7e3
Version
d205dc40798d97d63ad348bfaf7394f445d152d4
Status
affected
Version <
30cf811058552b8cd0e98dff677ef3f89d6d34ce
Version
d205dc40798d97d63ad348bfaf7394f445d152d4
Status
affected
Version <
a2cb4df7872de069f809de2f076ec8e54d649fe3
Version
d205dc40798d97d63ad348bfaf7394f445d152d4
Status
affected
Version <
e14f72aa66c029db106921d621edcedef68e065b
Version
d205dc40798d97d63ad348bfaf7394f445d152d4
Status
affected
Version <
a62d6aa3f31f216b637a4c71b7a8bfc7c57f049b
Version
d205dc40798d97d63ad348bfaf7394f445d152d4
Status
affected
Version <
de788b2e6227462b6dcd0e07474e72c089008f74
Version
d205dc40798d97d63ad348bfaf7394f445d152d4
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
2.6.18
Status
affected
Version <
2.6.18
Version
0
Status
unaffected
Version <=
5.4.*
Version
5.4.297
Status
unaffected
Version <=
5.10.*
Version
5.10.241
Status
unaffected
Version <=
5.15.*
Version
5.15.190
Status
unaffected
Version <=
6.1.*
Version
6.1.149
Status
unaffected
Version <=
6.6.*
Version
6.6.103
Status
unaffected
Version <=
6.12.*
Version
6.12.43
Status
unaffected
Version <=
6.15.*
Version
6.15.11
Status
unaffected
Version <=
6.16.*
Version
6.16.2
Status
unaffected
Version <=
*
Version
6.17-rc2
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.143 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|