CVE-2025-39764

Vulnerability

Overview

CVE-2025-39764 is a reference counting flaw in the Linux kernel's netfilter connection tracking (ctnetlink) subsystem, specifically in the expectation dump routines. The commit message explains that the code attempted to keep expectation objects alive via an extra refcount increment, but the logic was flawed: when refcount_inc_not_zero is called on the last dumped expectation (exp == last), the refcount is incremented twice, leading to a double-increment and a subsequent memory leak [1][2]. This mirrors a similar issue previously fixed in the conntrack dumper.

Attack

Vector and Exploitation

To exploit this vulnerability, an attacker would need local access to the system and the ability to trigger netlink dumps of conntrack expectations (typically via tools like conntrack -E expect or a custom netlink client). The bug is triggered during dump resumption, where a "cookie" value is used to skip already-dumped entries. No special privileges beyond the ability to read netlink conntrack information (often granted to unprivileged containers or user namespaces) are required [1].

Impact

An attacker can cause a memory leak by repeatedly triggering ctnetlink expectation dumps in a pattern that hits the double-refcount condition. Over time, this leaks kernel memory, potentially leading to denial of service (system instability or resource exhaustion). The CVSS v3 score is 5.5 (Medium), reflecting the local access requirement and the denial-of-service impact [2]. There is no indication of code execution or privilege escalation.

Mitigation

The fix has been merged into the Linux kernel stable tree via commits 078d33c95bf5, b05500444b8eb, and 9e5021a90653 [1][2][3]. Users should update to a kernel version containing these patches. No workaround is available other than restricting local access to the system.