VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Sep 4, 2025· Updated May 12, 2026

CVE-2025-38721

CVE-2025-38721

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: fix refcount leak on table dump

There is a reference count leak in ctnetlink_dump_table(): if (res < 0) { nf_conntrack_get(&ct->ct_general); // HERE cb->args[1] = (unsigned long)ct; ...

While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented. This 2nd increment is never undone.

This prevents the conntrack object from being released, which in turn keeps prevents cnet->count from dropping back to 0.

This will then block the netns dismantle (or conntrack rmmod) as nf_conntrack_cleanup_net_list() will wait forever.

This can be reproduced by running conntrack_resize.sh selftest in a loop. It takes ~20 minutes for me on a preemptible kernel on average before I see a runaway kworker spinning in nf_conntrack_cleanup_net_list.

One fix would to change this to: if (res < 0) { if (ct != last) nf_conntrack_get(&ct->ct_general);

But this reference counting isn't needed in the first place. We can just store a cookie value instead.

A followup patch will do the same for ctnetlink_exp_dump_table, it looks to me as if this has the same problem and like ctnetlink_dump_table, we only need a 'skip hint', not the actual object so we can apply the same cookie strategy there as well.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reference count leak in the Linux kernel's netfilter ctnetlink dump function can prevent conntrack cleanup, blocking netns dismantle or module removal.

Vulnerability

Description

CVE-2025-38721 is a reference count leak in the Linux kernel's netfilter connection tracking (conntrack) subsystem, specifically in the ctnetlink_dump_table() function. The bug occurs when a dump operation fails (res < 0) and the current conntrack object (ct) happens to be the same as the last dumped object (last). In that case, nf_conntrack_get() is called an extra time, incrementing the reference count without a corresponding decrement. This prevents the conntrack object from being freed, which in turn keeps the netfilter conntrack count from dropping to zero [1].

Exploitation

This vulnerability can be triggered by repeatedly running the conntrack_resize.sh selftest, which exercises the conntrack table dump path. The issue is a race condition that is unlikely but reproducible; on a preemptible kernel, it may take approximately 20 minutes of continuous testing to observe the leak [1]. No special privileges are required beyond the ability to trigger netfilter dumps, but the attack surface is limited to local users or processes that can interact with the conntrack subsystem.

Impact

An attacker who can trigger this leak repeatedly could cause a denial-of-service (DoS) condition. The leaked reference prevents the conntrack module from being cleaned up, which blocks network namespace dismantle or module removal. This results in a hung kworker spinning in nf_conntrack_cleanup_net_list(), effectively freezing the affected namespace or preventing the module from being unloaded [1].

Mitigation

The fix, already applied in the Linux kernel stable tree, removes the unnecessary reference count increment and instead stores a cookie value as a skip hint. The same approach is planned for the similar ctnetlink_exp_dump_table function [1]. Users should update to a patched kernel version containing the commit that resolves this issue.

References
  1. SSA-082556

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

1