CVE-2025-39764Improper Update of Reference Count in Linux

CWE-911Improper Update of Reference Count6 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 95.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
14
LinuxLinux KernelDebian Linux+11 more
Timeline
PublishedSep 11

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use)) to increment the refcount, there is a chance that exp == last, which

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages15 packages

NVDlinux/linux_kernel2.6.236.16.2+1
Debianlinux/linux_kernel< 6.16.3-1

Patches

Patch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

2
GHSA
GHSA-rh5v-2xrc-gj9x: In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as2025-09-11
OSV
CVE-2025-39764: In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as pr2025-09-11

📋Vendor Advisories

3
Red Hat
kernel: Linux kernel: Denial of Service via double-increment of reference count in netfilter2025-09-11
Microsoft
netfilter: ctnetlink: remove refcounting in expectation dumpers2025-09-09
Debian
CVE-2025-39764: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ...2025