CVE-2025-40206
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_objref: validate objref and objrefmap expressions
Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls:
BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip6_route+0x23/0x50 synproxy_send_tcp_ipv6+0x106/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0 nft_synproxy_do_eval+0x263/0x310 nft_do_chain+0x5a8/0x5f0 [nf_tables nft_do_chain_inet+0x98/0x110 nf_hook_slow+0x43/0xc0 __ip6_local_out+0xf0/0x170 ip6_local_out+0x17/0x70 synproxy_send_tcp_ipv6+0x1a2/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0 [...]
Implement objref and objrefmap expression validate functions.
Currently, only NFT_OBJECT_SYNPROXY object type requires validation. This will also handle a jump to a chain using a synproxy object from the OUTPUT hook.
Now when trying to reference a synproxy object in the OUTPUT hook, nft will produce the following error:
synproxy_crash.nft: Error: Could not process rule: Operation not supported synproxy name mysynproxy ^^^^^^^^^^^^^^^^^^^^^^^^
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing validation in nft_objref expressions causes kernel crash when referencing a synproxy object from the OUTPUT hook.
Vulnerability
The Linux kernel's netfilter subsystem contains a missing validation flaw in the nft_objref and nft_objrefmap expressions. When a synproxy stateful object is referenced from the OUTPUT hook, it leads to infinite recursive calls, resulting in a kernel stack overflow and a crash [1]. The call trace shows recursion through synproxy_send_tcp_ipv6 and related functions.
Exploitation
The vulnerability is exploitable by any unprivileged user able to load nftables rules with a synproxy object reference directed at the OUTPUT hook. The triggering rule does not require special capabilities beyond those needed to manage nftables. The recursion causes a denial of service (system crash) by exhausting the kernel stack.
Impact and
Mitigation An attacker can cause a kernel crash, leading to system unavailability. The fix introduces validation in the nft_objref and nft_objrefmap expression handlers, specifically blocking the use of synproxy objects in the OUTPUT hook. The validation returns an error ("Operation not supported") when such configuration is attempted [1]. Patches have been backported to stable kernel versions.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
40028e0134c647ea55a44493a4c1cf72ec10bf359b809d54cVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.