The nf_conntrack_expect subsystem in the Linux kernel has a logic flaw that allows any process with read access to the /proc filesystem to enumerate expectations that belong to another network namespace. This results in the exposure of state about cross-namespace connections, revealing sensitive traffic patterns and potentially allowing an attacker to infer the presence of devices or services in another namespace. The vulnerability is a moderate-severity kernel data-exposure flaw with a CVSS score of 5.5.

The flaw is present in the Linux kernel’s nf_conntrack_expect component across many releases, as indicated by the CPE strings covering all modern kernel versions including 2.6.28 and the 7.0 release candidates. Any Linux system running a kernel that includes this module and has /proc exposed to local users is at risk. The CNA indicates the vendor as Linux:Linux, implying all distributions that ship the default kernel are affected unless the kernel is patched or the module is disabled.

The EPSS score is reported as less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting low exploitation activity. The attack vector is local – an adversary must be able to read /proc entries, which typically requires the same privileges as the kernel process or a user granted read access to /proc. The CVSS base score of 5.5 reflects the moderate impact with limited scope. No remote or privilege-escalation vector is documented; the flaw is strictly an information-disclosure problem with local read access as the prerequisite.