CVE-2025-71160

EUVD-2026-4318
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: avoid chain re-validation if possible

Hamza Mahfooz reports cpu soft lock-ups in
nft_chain_validate():

 watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547]
[..]
 RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables]
[..]
  nft_immediate_validate+0x36/0x50 [nf_tables]
  nft_chain_validate+0xc9/0x110 [nf_tables]
  nft_immediate_validate+0x36/0x50 [nf_tables]
  nft_chain_validate+0xc9/0x110 [nf_tables]
  nft_immediate_validate+0x36/0x50 [nf_tables]
  nft_chain_validate+0xc9/0x110 [nf_tables]
  nft_immediate_validate+0x36/0x50 [nf_tables]
  nft_chain_validate+0xc9/0x110 [nf_tables]
  nft_immediate_validate+0x36/0x50 [nf_tables]
  nft_chain_validate+0xc9/0x110 [nf_tables]
  nft_immediate_validate+0x36/0x50 [nf_tables]
  nft_chain_validate+0xc9/0x110 [nf_tables]
  nft_table_validate+0x6b/0xb0 [nf_tables]
  nf_tables_validate+0x8b/0xa0 [nf_tables]
  nf_tables_commit+0x1df/0x1eb0 [nf_tables]
[..]

Currently nf_tables will traverse the entire table (chain graph), starting
from the entry points (base chains), exploring all possible paths
(chain jumps).  But there are cases where we could avoid revalidation.

Consider:
1  input -> j2 -> j3
2  input -> j2 -> j3
3  input -> j1 -> j2 -> j3

Then the second rule does not need to revalidate j2, and, by extension j3,
because this was already checked during validation of the first rule.
We need to validate it only for rule 3.

This is needed because chain loop detection also ensures we do not exceed
the jump stack: Just because we know that j2 is cycle free, its last jump
might now exceed the allowed stack size.  We also need to update all
reachable chains with the new largest observed call depth.

Care has to be taken to revalidate even if the chain depth won't be an
issue: chain validation also ensures that expressions are not called from
invalid base chains.  For example, the masquerade expression can only be
called from NAT postrouting base chains.

Therefore we also need to keep record of the base chain context (type,
hooknum) and revalidate if the chain becomes reachable from a different
hook location.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
4.18 ≤
𝑥
< 6.6.121
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.66
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.6
linuxlinux_kernel
6.19:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
7.0.13-1
fixed
sid
7.1.3-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.95-1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool6.12
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
bpftool6.12-debuginfo
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel-livepatch-6.12.66-88.122
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel6.12
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-devel
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-headers
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-libbpf
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-libbpf-debuginfo
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-libbpf-devel
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-libbpf-static
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-modules-extra-common
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-tools
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-tools-debuginfo
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
kernel6.12-tools-devel
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
perf6.12
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
1:6.12.66-88.122.amzn2023
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.121.1-1.azl3
fixed