Skip to main content

Linux CVE-2025-39764

MEDIUM
2025-09-11 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Sep 11, 2025 - 17:15 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: remove refcounting in expectation dumpers

Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption.

AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use))

to increment the refcount, there is a chance that exp == last, which causes a double-increment of the refcount and subsequent memory leak.

AnalysisAI

Memory leak in Linux kernel netfilter conntrack expectation dumper (CVE-2025-39764) allows local authenticated attackers to cause denial of service through refcount double-increment during dump resumption operations. The vulnerability affects Linux kernel versions including 6.17-rc1 and impacts the netfilter module's expectation object lifecycle management. Patch commits are available upstream; exploitation requires local system access with unprivileged user privileges.

Technical ContextAI

The vulnerability exists in the Linux kernel's netfilter conntrack subsystem, specifically in the expectation dumper functionality (net/netfilter/nf_conntrack_netlink.c). The root cause is improper reference counting logic when resuming netlink dumps of expectation objects. When the kernel executes the refcount_inc_not_zero() operation to keep an expectation object alive across dump operations, a race condition occurs where the last dumped expectation (exp == last) can be incremented twice, causing the refcount to become inconsistent and preventing proper object deallocation. This mirrors a previously patched issue in the conntrack dumper itself. The affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* with explicit confirmation for Linux kernel 6.17-rc1. The issue is a resource management error (CWE class not specified in input, but indicative of use-after-free or double-free patterns).

RemediationAI

Upgrade to a patched Linux kernel version incorporating the upstream fixes from commits 078d33c95bf534d37aa04269d1ae6158e20082d5 or a4d634ded4d3d400f115d84f654f316f249531c9 and related patches. Kernel maintainers should apply these commits as part of the next stable kernel release cycle. Until patching is completed, restrict local system access to trusted users and disable netfilter expectation object introspection via netlink if operationally feasible. Organizations should prioritize patching during normal maintenance windows rather than as emergency out-of-cycle updates given the low EPSS score and requirement for local authentication. Verify patch application by confirming kernel version contains the referenced commits from the upstream stable tree.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.57 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.40 Image SL-Micro Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.80 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.41 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.95 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.34 Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-CHOST-BYOS-Aliyun Image SLES-CHOST-BYOS-Azure Image SLES-CHOST-BYOS-EC2 Image SLES-CHOST-BYOS-GCE Image SLES-CHOST-BYOS-GDC Image SLES-CHOST-BYOS-SAP-CCloud Image SLES-EC2 Image SLES-GCE Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-GCE Affected

Share

CVE-2025-39764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy