Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conncount: increase the connection clean up limit to 64

After the optimization to only perform one GC per jiffy, a new problem
was introduced. If more than 8 new connections are tracked per jiffy the
list won't be cleaned up fast enough possibly reaching the limit
wrongly.

In order to prevent this issue, only skip the GC if it was already
triggered during the same jiffy and the increment is lower than the
clean up limit. In addition, increase the clean up limit to 64
connections to avoid triggering GC too often and do more effective GCs.

This has been tested using a HTTP server and several
performance tools while having nft_connlimit/xt_connlimit or OVS limit
configured.

Output of slowhttptest + OVS limit at 52000 connections:

slow HTTP test status on 340th second:
initializing: 0
pending: 432
connected: 51998
error: 0
closed: 0
service available: YES
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Netfilter nf_conncount module was enhanced to trigger garbage collection only once per jiffy. If more than eight new connections are added in a single jiffy, the cleanup fails to keep pace, potentially inflating the connection table and causing a resource exhaustion. This can drop legitimate connections and lead to denial of service for network services using the kernel’s connection tracking. The weakness is excessive resource consumption, catalogued as CWE‑770.

Affected Systems

Any Linux distribution employing the stock Linux kernel with the original nf_conncount cleanup threshold is vulnerable until the patch raising the limit to 64 connections and adding a guard is applied. This includes all kernels shipped before the commit 0792ad07… in the kernel source tree. Users of nft_connlimit, xt_connlimit, or Open vSwitch limits would also be affected during high‑rate connection churn.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is remote network traffic that rapidly opens many short‑lived connections, such as a traffic generator or a service that spawns a burst of new sockets. The EPSS score is less than 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating a relatively low exploitation probability. However, the CVSS score of 7.5 denotes moderate severity, and if an attacker can sustain a burst of more than eight new connections per jiffy against a target, the connection table may saturate, leading to denial of service for legitimate traffic.

Generated by OpenCVE AI on May 30, 2026 at 13:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the nf_conncount cleanup limit patch (commit 0792ad077d776c2dcf20f0484e2461ded1b77a24 and subsequent commits).
  • If a kernel upgrade cannot be performed immediately, configure nft_connlimit, xt_connlimit, or Open vSwitch limits to ensure that no more than eight new connections are created per jiffy, thereby preventing rapid connection churn.
  • If the nf_conncount module is not required for day‑to‑day operations, disable it temporarily until the kernel patch is applied to eliminate the exposure.

Generated by OpenCVE AI on May 30, 2026 at 13:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 28 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-770

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: increase the connection clean up limit to 64 After the optimization to only perform one GC per jiffy, a new problem was introduced. If more than 8 new connections are tracked per jiffy the list won't be cleaned up fast enough possibly reaching the limit wrongly. In order to prevent this issue, only skip the GC if it was already triggered during the same jiffy and the increment is lower than the clean up limit. In addition, increase the clean up limit to 64 connections to avoid triggering GC too often and do more effective GCs. This has been tested using a HTTP server and several performance tools while having nft_connlimit/xt_connlimit or OVS limit configured. Output of slowhttptest + OVS limit at 52000 connections: slow HTTP test status on 340th second: initializing: 0 pending: 432 connected: 51998 error: 0 closed: 0 service available: YES
Title netfilter: nf_conncount: increase the connection clean up limit to 64
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-30T10:45:37.644Z

Reserved: 2026-05-13T15:03:33.080Z

Link: CVE-2026-45860

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:58.187

Modified: 2026-06-17T10:52:37.420

Link: CVE-2026-45860

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45860 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling