Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: fix missing expect put in obj eval

nft_ct_expect_obj_eval() allocates an expectation and may call
nf_ct_expect_related(), but never drops its local reference.

Add nf_ct_expect_put(exp) before return to balance allocation.
Published: 2026-06-24
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s netfilter nft_ct subsystem. The function nft_ct_expect_obj_eval allocates an expectation object but never releases its reference before returning. This omission can lead to a memory leak within the kernel, as the allocated expectation is not freed. The leak is a classic resource‑exhaustion weakness (CWE‑772). The description does not explicitly state system crash or other outcomes, but a persistent leak may degrade kernel performance over time.

Affected Systems

This issue affects all Linux kernel releases that include the nft_ct component of netfilter. Because no specific affected kernel versions are listed, every supported release with this subsystem is considered vulnerable until the missing nf_ct_expect_put call is applied via an updated kernel package or a manual patch.

Risk and Exploitability

The CVSS score for the vulnerability is 7.0, and the EPSS score is less than 1%, indicating a very low probability of exploitation in the wild at present. The vulnerability is not recorded in CISA KEV. Based on the description, the likely attack vector involves an adversary sending crafted network traffic that triggers nft_ct_expect_obj_eval, which may repeatedly allocate expectation objects and cause a resource‑leak. While no specific exploits have been published, the potential impact is disruption of services through resource exhaustion. The risk increases if an attacker can maintain sustained traffic to the vulnerable subsystem, but given the low EPSS score, a successful exploitation is not currently presumed likely.

Generated by OpenCVE AI on June 27, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that contains the nf_ct_expect_put fix.
  • If an official update is not yet available, recompile the kernel with the vendor’s patch that adds the missing nf_ct_expect_put call.
  • While awaiting a patch, monitor kernel memory usage for abnormal growth and consider limiting or filtering traffic to the nft_ct subsystem to reduce attack surface.

Generated by OpenCVE AI on June 27, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sat, 27 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-739

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-739

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix missing expect put in obj eval nft_ct_expect_obj_eval() allocates an expectation and may call nf_ct_expect_related(), but never drops its local reference. Add nf_ct_expect_put(exp) before return to balance allocation.
Title netfilter: nft_ct: fix missing expect put in obj eval
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:48.882Z

Reserved: 2026-06-09T07:44:35.375Z

Link: CVE-2026-52970

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52970 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T04:00:10Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime