The Linux kernel netfilter nft_ct component allocates an expectation object in nft_ct_expect_obj_eval but fails to release its reference when the function returns. This omission leads to a memory leak—kernel memory accumulates over time with each trigger. While the leak does not directly expose data or modify state, sustained exhaustion can degrade performance or force the kernel to invoke the out‑of‑memory killer, potentially terminating processes and disrupting services.

This issue affects all Linux kernel releases that contain the nft_ct subsystem. Since no specific kernel versions were listed, every supported version with netfilter nft_ct is vulnerable until the nf_ct_expect_put fix is applied through an updated kernel package or manual patch.

The CVSS score is not disclosed and the EPSS score is unavailable; the vulnerability is not listed in CISA KEV. The flaw represents a classic resource‑leak weakness (CWE‑739). An attacker with network‑level access can repeatedly send crafted packets to trigger nft_ct_expect_obj_eval, thereby exhausting kernel memory. Although no exploits have been documented, the potential impact is a denial of service that may require sustained attack traffic, and the lack of a known workaround increases risk for environments that cannot update promptly.