CVE-2025-21958

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to the openvswitch in the Linux kernel. Specifically, it involves the ovs ct set labels() function, which is called for confirmed conntrack entries within ovs ct commit(). However, if a conntrack entry does not have the labels ext extension, attempting to allocate it in ovs ct get conn labels() for a confirmed entry triggers a warning in nf ct ext add(). This warning occurs when the conntrack entry is created externally before OVS increments net->ct.labels used. The problem has become more likely since the commit that changed to use per-action label counting and increment net->ct.labels used when a flow with ct action is added. The issue has been mitigated by reverting this commit to avoid breaking existing use cases.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.