CVE-2025-21648

19.01.2025, 11:15

In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: clamp maximum hashtable size to INT_MAX

Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it
is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when
resizing hashtable because __GFP_NOWARN is unset. See:

0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls")

Note: hashtable resize is only possible from init_netns.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Debian Releases

Debian Product

Codename

linux

bullseye	vulnerable
bullseye (security)	5.10.234-1 fixed
bookworm	6.1.129-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	6.12.20-1 fixed
sid	6.12.21-1 fixed

linux-6.1

bullseye (security)

6.1.129-1~deb11u1

fixed

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder andere nicht spezifizierte Auswirkungen zu verursachen.
Published: 2025-01-19T23:00:00+00:00

References

https://git.kernel.org/stable/c/5552b4fd44be3393b930434a7845d8d95a2a3c33

https://git.kernel.org/stable/c/a965f7f0ea3ae61b9165bed619d5d6da02c75f80

https://git.kernel.org/stable/c/b1b2353d768f1b80cd7fe045a70adee576b9b338

https://git.kernel.org/stable/c/b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13

https://git.kernel.org/stable/c/d5807dd1328bbc86e059c5de80d1bbee9d58ca3d

https://git.kernel.org/stable/c/f559357d035877b9d0dcd273e0ff83e18e1d46aa