CVE-2025-38732 — Improper Update of Reference Count in Linux
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 96.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 5
Latest updateMar 25
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_reject: don't leak dst refcount for loopback packets
recent patches to add a WARN() when replacing skb dst entry found an
old bug:
WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]
WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline]
WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages3 packages
▶CVEListV5linux/linuxf53b9b0bdc59c0823679f2e3214e0d538f5951b9 — 7b8b503c06274ef3c6c1a107743f1ec0d0a53ef8+7
Also affects: Debian Linux 11.0
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-p76p-fh7v-f8jw: In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_reject: don't leak dst refcount for loopback packets
recent patche↗2025-09-05
OSV▶
CVE-2025-38732: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches↗2025-09-05