Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: remove refcounting in expectation dumpers

Same pattern as previous patch: do not keep the expectation object
alive via refcount, only store a cookie value and then use that
as the skip hint for dump resumption.

AFAICS this has the same issue as the one resolved in the conntrack
dumper, when we do
if (!refcount_inc_not_zero(&exp->use))

to increment the refcount, there is a chance that exp == last, which
causes a double-increment of the refcount and subsequent memory leak.
Published: 2025-09-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory leak due to improper reference counting in netfilter expectation dumpers
Action: Apply patch
AI Analysis

Impact

The vulnerability stems from improper reference counting in the netfilter ctnetlink expectation dumper. The kernel code no longer protects the expectation object with a stable reference count, instead using a cookie value. When the reference count is incremented, there is a race where the same expectation may be incremented twice, leading to a double‑increment that eventually results in a memory leak. This leak can consume kernel memory over time, potentially exhausting resources and degrading system stability.

Affected Systems

All Linux kernel distributions may be affected because the CPEs cover the generic kernel and the 6.17 release candidate. The flaw exists in the kernel's netfilter implementation, so any system running a vulnerable kernel version prior to the patch is susceptible. Native distributions should check the vendor’s kernel update page for the specific commit or kernel release that contains the fix.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog. The likely attack vector is local privileged or kernel-level code that triggers expectation dumps; it does not appear to be exploitable remotely without additional privileges. Therefore, the risk is moderate, but the probability of exploitation remains low unless a privileged user or another root exploit is present.

Generated by OpenCVE AI on April 20, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the refcounting fix for ctnetlink expectation dumpers, as referenced by the commit linked in the advisory.
  • If an immediate kernel upgrade is not possible, disable the ctnetlink expectation dump functionality, for example by restricting access to the related control interface or removing the feature via sysctl if available.
  • After applying a fix or disabling the feature, monitor kernel memory usage for abnormal growth and ensure that the system remains stable.

Generated by OpenCVE AI on April 20, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
EUVD EUVD EUVD-2025-28948 In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use)) to increment the refcount, there is a chance that exp == last, which causes a double-increment of the refcount and subsequent memory leak.
History

Mon, 20 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
CWE-415

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 25 Nov 2025 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Fri, 12 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Thu, 11 Sep 2025 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use)) to increment the refcount, there is a chance that exp == last, which causes a double-increment of the refcount and subsequent memory leak.
Title netfilter: ctnetlink: remove refcounting in expectation dumpers
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T21:35:48.352Z

Reserved: 2025-04-16T07:20:57.126Z

Link: CVE-2025-39764

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2025-09-11T17:15:40.653

Modified: 2026-04-18T09:16:11.663

Link: CVE-2025-39764

cve-icon Redhat

Severity : Low

Publid Date: 2025-09-11T00:00:00Z

Links: CVE-2025-39764 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses