Impact
The vulnerability resides in the Linux kernel’s netfilter nft_ct subsystem. The function nft_ct_expect_obj_eval allocates an expectation object but never releases its reference before returning. This omission can lead to a memory leak within the kernel, as the allocated expectation is not freed. The leak is a classic resource‑exhaustion weakness (CWE‑772). The description does not explicitly state system crash or other outcomes, but a persistent leak may degrade kernel performance over time.
Affected Systems
This issue affects all Linux kernel releases that include the nft_ct component of netfilter. Because no specific affected kernel versions are listed, every supported release with this subsystem is considered vulnerable until the missing nf_ct_expect_put call is applied via an updated kernel package or a manual patch.
Risk and Exploitability
The CVSS score for the vulnerability is 7.0, and the EPSS score is less than 1%, indicating a very low probability of exploitation in the wild at present. The vulnerability is not recorded in CISA KEV. Based on the description, the likely attack vector involves an adversary sending crafted network traffic that triggers nft_ct_expect_obj_eval, which may repeatedly allocate expectation objects and cause a resource‑leak. While no specific exploits have been published, the potential impact is disruption of services through resource exhaustion. The risk increases if an attacker can maintain sustained traffic to the vulnerable subsystem, but given the low EPSS score, a successful exploitation is not currently presumed likely.
OpenCVE Enrichment
Debian DLA