Reference Count Leak in Linux Kernel Netfilter Component
CVE-2025-38721
What is CVE-2025-38721?
A reference count leak exists in the netfilter component of the Linux kernel due to improper handling in the ctnetlink_dump_table function. This vulnerability can lead to conntrack objects not being properly released, potentially causing blocking issues during network namespace dismantling or when unloading the conntrack module. The issue typically arises when a specific condition is met, resulting in an unwanted increase in reference count, which can prevent system resources from being freed. Under certain circumstances, this leak may manifest during self-testing procedures, particularly when executing conntrack_resize.sh in a loop. A patch exists that aims to rectify this issue by eliminating unnecessary reference counting and instead utilizing a cookie-based approach to manage tracking state.
Affected Version(s)
Linux d205dc40798d97d63ad348bfaf7394f445d152d4 < 586892e341fbf698e7cbaca293e1353957db725a
Linux d205dc40798d97d63ad348bfaf7394f445d152d4 < 962518c6ca9f9a13df099cafa429f72f68ad61f0
Linux d205dc40798d97d63ad348bfaf7394f445d152d4 < 19b909a4b1452fb97e477d2f08b97f8d04095619