PT-2025-4329 · Linux+9 · Linux Kernel+9
Pablo Neira Ayuso
·
Published
2025-01-08
·
Updated
2025-11-12
·
CVE-2025-21648
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.6.74
Description
A vulnerability in the Linux kernel has been resolved, related to the netfilter conntrack hashtable size. The issue allowed for a potential WARN ON ONCE in kvmalloc node noprof() when resizing the hashtable because GFP NOWARN was unset. The fix involves clamping the maximum hashtable size to INT MAX. Hashtable resize is only possible from init netns.
Recommendations
For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting the resize of the conntrack hashtable to prevent potential exploitation.
Exploit
Fix
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Almalinux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu