CVE-2025-38721
published 2025-09-04CVE-2025-38721: In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: fix refcount leak on table dump
There is a reference count leak in ctnetlink_dump_table():
if (res ct_general); // HERE
cb->args[1] = (unsigned long)ct;
...
While its very unlikely, its possible that ct == last.
If this happens, then the refcount of ct was already incremented.
This 2nd increment is never undone.
This prevents the conntrack object from being released, which in turn
keeps prevents cnet->count from dropping back to 0.
This will then block the netns dismantle (or conntrack rmmod) as
nf_conntrack_cleanup_net_list() will wait forever.
This can be reproduced by running conntrack_resize.sh selftest in a loop.
It takes ~20 minutes for me on a preemptible kernel on average before
I see a runaway kworker spinning in nf_conntrack_cleanup_net_list.
One fix would to change this to:
if (res ct_general);
But this reference counting isn't needed in the first place.
We can just store a cookie value instead.
A followup patch will do the same for ctnetlink_exp_dump_table,
it looks to me as if this has the same problem and like
ctnetlink_dump_table, we only need a 'skip hint', not the actual
object so we can apply the same cookie strategy there as well.
Affected
41 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= d205dc40798d97d63ad348bfaf7394f445d152d4 < 586892e341fbf698e7cbaca293e1353957db725a | 586892e341fbf698e7cbaca293e1353957db725a |
| linux | linux | >= d205dc40798d97d63ad348bfaf7394f445d152d4 < 962518c6ca9f9a13df099cafa429f72f68ad61f0 | 962518c6ca9f9a13df099cafa429f72f68ad61f0 |
| linux | linux | >= d205dc40798d97d63ad348bfaf7394f445d152d4 < 19b909a4b1452fb97e477d2f08b97f8d04095619 | 19b909a4b1452fb97e477d2f08b97f8d04095619 |
| linux | linux | >= d205dc40798d97d63ad348bfaf7394f445d152d4 < 41462f4cfc583513833f87f9ee55d12da651a7e3 | 41462f4cfc583513833f87f9ee55d12da651a7e3 |
| linux | linux | >= d205dc40798d97d63ad348bfaf7394f445d152d4 < 30cf811058552b8cd0e98dff677ef3f89d6d34ce | 30cf811058552b8cd0e98dff677ef3f89d6d34ce |
| linux | linux | >= d205dc40798d97d63ad348bfaf7394f445d152d4 < a2cb4df7872de069f809de2f076ec8e54d649fe3 | a2cb4df7872de069f809de2f076ec8e54d649fe3 |
| linux | linux | >= d205dc40798d97d63ad348bfaf7394f445d152d4 < e14f72aa66c029db106921d621edcedef68e065b | e14f72aa66c029db106921d621edcedef68e065b |
| linux | linux | >= d205dc40798d97d63ad348bfaf7394f445d152d4 < a62d6aa3f31f216b637a4c71b7a8bfc7c57f049b | a62d6aa3f31f216b637a4c71b7a8bfc7c57f049b |
| linux | linux | >= d205dc40798d97d63ad348bfaf7394f445d152d4 < de788b2e6227462b6dcd0e07474e72c089008f74 | de788b2e6227462b6dcd0e07474e72c089008f74 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.43-1 | 6.12.43-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 2.6.19 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.149 | 6.1.149 |
| linux | linux_kernel | >= 5.5 < 5.10.241 | 5.10.241 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM