{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21958", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.791Z", "datePublished": "2025-04-01T15:46:57.268Z", "dateUpdated": "2025-05-04T07:25:46.303Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:25:46.303Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"openvswitch: switch to per-action label counting in conntrack\"\n\nCurrently, ovs_ct_set_labels() is only called for confirmed conntrack\nentries (ct) within ovs_ct_commit(). However, if the conntrack entry\ndoes not have the labels_ext extension, attempting to allocate it in\novs_ct_get_conn_labels() for a confirmed entry triggers a warning in\nnf_ct_ext_add():\n\n WARN_ON(nf_ct_is_confirmed(ct));\n\nThis happens when the conntrack entry is created externally before OVS\nincrements net->ct.labels_used. The issue has become more likely since\ncommit fcb1aa5163b1 (\"openvswitch: switch to per-action label counting\nin conntrack\"), which changed to use per-action label counting and\nincrement net->ct.labels_used when a flow with ct action is added.\n\nSince there\u2019s no straightforward way to fully resolve this issue at the\nmoment, this reverts the commit to avoid breaking existing use cases."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/conntrack.c", "net/openvswitch/datapath.h"], "versions": [{"version": "fcb1aa5163b1ae4cf2864b688b08927aac51f51e", "lessThan": "9e79fdabd52cfce1a021640a81256878a2c516a2", "status": "affected", "versionType": "git"}, {"version": "fcb1aa5163b1ae4cf2864b688b08927aac51f51e", "lessThan": "d91bfc64a4886102746e74d2c6f3a61e9a77fd7d", "status": "affected", "versionType": "git"}, {"version": "fcb1aa5163b1ae4cf2864b688b08927aac51f51e", "lessThan": "1063ae07383c0ddc5bcce170260c143825846b03", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/conntrack.c", "net/openvswitch/datapath.h"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.20", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.8", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.13.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9e79fdabd52cfce1a021640a81256878a2c516a2"}, {"url": "https://git.kernel.org/stable/c/d91bfc64a4886102746e74d2c6f3a61e9a77fd7d"}, {"url": "https://git.kernel.org/stable/c/1063ae07383c0ddc5bcce170260c143825846b03"}], "title": "Revert \"openvswitch: switch to per-action label counting in conntrack\"", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6AE02FC-5B2D-426A-B8D7-3D71FBE28D40", "versionEndExcluding": "6.12.20", "versionStartIncluding": "6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A20D4D7-B329-4C68-B662-76062EA7DCF0", "versionEndExcluding": "6.13.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*", "matchCriteriaId": "1759FFB7-531C-41B1-9AE1-FD3D80E0D920", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"openvswitch: switch to per-action label counting in conntrack\"\n\nCurrently, ovs_ct_set_labels() is only called for confirmed conntrack\nentries (ct) within ovs_ct_commit(). However, if the conntrack entry\ndoes not have the labels_ext extension, attempting to allocate it in\novs_ct_get_conn_labels() for a confirmed entry triggers a warning in\nnf_ct_ext_add():\n\n WARN_ON(nf_ct_is_confirmed(ct));\n\nThis happens when the conntrack entry is created externally before OVS\nincrements net->ct.labels_used. The issue has become more likely since\ncommit fcb1aa5163b1 (\"openvswitch: switch to per-action label counting\nin conntrack\"), which changed to use per-action label counting and\nincrement net->ct.labels_used when a flow with ct action is added.\n\nSince there\u2019s no straightforward way to fully resolve this issue at the\nmoment, this reverts the commit to avoid breaking existing use cases."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Revertir \"openvswitch: cambiar al conteo de etiquetas por acci\u00f3n en conntrack\". Actualmente, ovs_ct_set_labels() solo se llama para entradas de conntrack confirmadas (ct) dentro de ovs_ct_commit(). Sin embargo, si la entrada de conntrack no tiene la extensi\u00f3n labels_ext, al intentar asignarla en ovs_ct_get_conn_labels() para una entrada confirmada, se genera una advertencia en nf_ct_ext_add(): WARN_ON(nf_ct_is_confirmed(ct)); Esto ocurre cuando la entrada de conntrack se crea externamente antes de que OVS incremente net->ct.labels_used. El problema se ha vuelto m\u00e1s frecuente desde el commit fcb1aa5163b1 (\"openvswitch: cambio al conteo de etiquetas por acci\u00f3n en conntrack\"), que cambi\u00f3 para usar el conteo de etiquetas por acci\u00f3n e incrementar net->ct.labels_used al agregar un flujo con la acci\u00f3n ct. Dado que actualmente no existe una soluci\u00f3n directa para este problema, esta reversi\u00f3n de el commit evita la interrupci\u00f3n de los casos de uso existentes."}], "id": "CVE-2025-21958", "lastModified": "2025-10-31T19:44:45.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-01T16:15:27.010", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1063ae07383c0ddc5bcce170260c143825846b03"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9e79fdabd52cfce1a021640a81256878a2c516a2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d91bfc64a4886102746e74d2c6f3a61e9a77fd7d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Revert \"openvswitch: switch to per-action label counting in conntrack\"", "id": "2356638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356638"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nRevert \"openvswitch: switch to per-action label counting in conntrack\"\nCurrently, ovs_ct_set_labels() is only called for confirmed conntrack\nentries (ct) within ovs_ct_commit(). However, if the conntrack entry\ndoes not have the labels_ext extension, attempting to allocate it in\novs_ct_get_conn_labels() for a confirmed entry triggers a warning in\nnf_ct_ext_add():\nWARN_ON(nf_ct_is_confirmed(ct));\nThis happens when the conntrack entry is created externally before OVS\nincrements net->ct.labels_used. The issue has become more likely since\ncommit fcb1aa5163b1 (\"openvswitch: switch to per-action label counting\nin conntrack\"), which changed to use per-action label counting and\nincrement net->ct.labels_used when a flow with ct action is added.\nSince there\u2019s no straightforward way to fully resolve this issue at the\nmoment, this reverts the commit to avoid breaking existing use cases."], "name": "CVE-2025-21958", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21958\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21958\nhttps://lore.kernel.org/linux-cve-announce/2025040144-CVE-2025-21958-c94c@gregkh/T"], "threat_severity": "Low"}

{}