CVE-2025-39764
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use)) to increment the refcount, there is a chance that exp == last, which causes a double-increment of the refcount and subsequent memory leak.
Analysis
Memory leak in Linux kernel netfilter conntrack expectation dumper (CVE-2025-39764) allows local authenticated attackers to cause denial of service through refcount double-increment during dump resumption operations. The vulnerability affects Linux kernel versions including 6.17-rc1 and impacts the netfilter module's expectation object lifecycle management. Patch commits are available upstream; exploitation requires local system access with unprivileged user privileges.
Technical Context
The vulnerability exists in the Linux kernel's netfilter conntrack subsystem, specifically in the expectation dumper functionality (net/netfilter/nf_conntrack_netlink.c). The root cause is improper reference counting logic when resuming netlink dumps of expectation objects. When the kernel executes the refcount_inc_not_zero() operation to keep an expectation object alive across dump operations, a race condition occurs where the last dumped expectation (exp == last) can be incremented twice, causing the refcount to become inconsistent and preventing proper object deallocation. This mirrors a previously patched issue in the conntrack dumper itself. The affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* with explicit confirmation for Linux kernel 6.17-rc1. The issue is a resource management error (CWE class not specified in input, but indicative of use-after-free or double-free patterns).
Affected Products
Linux kernel versions are affected per CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* with specific confirmation for Linux kernel 6.17-rc1 and earlier. The vulnerability impacts all kernel versions utilizing the affected netfilter expectation dumper code path. Upstream patch commits are available at https://git.kernel.org/stable/c/078d33c95bf534d37aa04269d1ae6158e20082d5, https://git.kernel.org/stable/c/1492e3dcb2be3aa46d1963da96aa9593e4e4db5a, https://git.kernel.org/stable/c/64b7684042246e3238464c66894e30ba30c7e851, https://git.kernel.org/stable/c/9e5021a906532ca16e2aac69c0607711e1c70b1f, and https://git.kernel.org/stable/c/a4d634ded4d3d400f115d84f654f316f249531c9.
Remediation
Upgrade to a patched Linux kernel version incorporating the upstream fixes from commits 078d33c95bf534d37aa04269d1ae6158e20082d5 or a4d634ded4d3d400f115d84f654f316f249531c9 and related patches. Kernel maintainers should apply these commits as part of the next stable kernel release cycle. Until patching is completed, restrict local system access to trusted users and disable netfilter expectation object introspection via netlink if operationally feasible. Organizations should prioritize patching during normal maintenance windows rather than as emergency out-of-cycle updates given the low EPSS score and requirement for local authentication. Verify patch application by confirming kernel version contains the referenced commits from the upstream stable tree.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today