CVE-2025-71097 Overview
CVE-2025-71097 is a Linux kernel vulnerability in the IPv4 routing subsystem. The flaw causes a reference count leak when error routes (such as blackhole routes) are associated with nexthop objects. When a nexthop object is deleted, the kernel marks it as dead and calls fib_table_flush() to remove dependent routes. However, error routes are only flushed during network namespace dismantle, leaving stale references on the nexthop object and its underlying network device. The result is a persistent unregister_netdevice: waiting for <dev> to become free condition that prevents device teardown.
Critical Impact
Local users with CAP_NET_ADMIN can trigger reference count leaks that prevent network device unregistration, leading to availability loss and potential kernel resource exhaustion.
Affected Products
- Linux Kernel (multiple stable branches up to 6.19-rc8)
- Linux Kernel 5.3 and later releases containing the nexthop object infrastructure
- Linux Kernel 6.19 release candidates rc1 through rc8
Discovery Timeline
- 2026-01-13 - CVE-2025-71097 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2025-71097
Vulnerability Analysis
The vulnerability resides in the IPv4 Forwarding Information Base (FIB) flushing logic in fib_table_flush(). When a nexthop object referenced by routes is deleted using ip nexthop del, the kernel marks the nexthop as dead and walks the FIB to remove dependent entries. The flush routine intentionally skips error routes such as blackhole, unreachable, and prohibit entries unless invoked with flush_all=true, a condition only set during network namespace dismantle.
As a result, error routes that reference a deleted nexthop remain in the routing table. These stale routes continue to hold a reference on the nexthop object, which in turn holds a reference on the underlying network device. When the administrator attempts to delete the device, the kernel reports unregister_netdevice: waiting for <dev> to become free. Usage count = 2 indefinitely. IPv6 is not affected because its flushing logic differs.
Root Cause
The root cause is incomplete cleanup logic in fib_table_flush(). Error routes were treated as namespace-scoped resources rather than nexthop-dependent resources. When the dependency changed with the introduction of nexthop object support, the flush predicate was not updated to release error routes whose nexthop was marked dead.
Attack Vector
Exploitation requires local access and the CAP_NET_ADMIN capability to create nexthops, install routes, and delete network devices. The reproduction sequence involves creating a dummy interface, adding a nexthop, adding a blackhole route bound to that nexthop, deleting the nexthop, and attempting to delete the interface. Each cycle leaks a netdevice reference, which can be repeated to exhaust kernel resources or pin devices in the dying state. No verified public proof-of-concept exploit code is available beyond the reproducer described in the upstream commit message.
Detection Methods for CVE-2025-71097
Indicators of Compromise
- Kernel log messages containing unregister_netdevice: waiting for <interface> to become free. Usage count = N that persist across multiple polling intervals.
- Routing tables that retain blackhole, unreachable, or prohibit entries referencing a nhid after the corresponding nexthop has been deleted.
- Network interfaces that remain in a pending-delete state and cannot be re-created with the same name.
Detection Strategies
- Monitor dmesg and /var/log/messages for repeated unregister_netdevice warnings tied to specific interfaces.
- Audit nexthop and route state with ip nexthop show and ip route show type blackhole to identify error routes referencing deleted nexthops.
- Track kernel version and patch status across the fleet to identify hosts running affected 6.x release candidates or unpatched stable branches.
Monitoring Recommendations
- Alert on systems where network device deletion operations exceed expected duration or hang indefinitely.
- Correlate CAP_NET_ADMIN-granted process activity with nexthop and route modification syscalls via audit rules.
- Baseline normal routing-table churn to surface anomalous repeated creation and deletion of nexthop objects.
How to Mitigate CVE-2025-71097
Immediate Actions Required
- Apply the upstream kernel patches referenced by the stable tree commits listed in the vendor advisory section.
- Restrict CAP_NET_ADMIN to trusted administrators and service accounts that require network configuration privileges.
- Inventory hosts running affected kernel versions and prioritize patching on systems that expose nexthop management to multi-tenant or unprivileged workloads.
Patch Information
The fix updates fib_table_flush() to also flush error routes when their associated nexthop is marked dead. The patch has been merged into the mainline kernel and backported to multiple stable branches. Refer to the upstream commits: Kernel.org Commit 30386e0, Kernel.org Commit 33ff5c2, Kernel.org Commit 5979338, Kernel.org Commit 5de7ad7, Kernel.org Commit ac782f4, Kernel.org Commit e3fc381, and Kernel.org Commit ee41835.
Workarounds
- Manually delete error routes (ip route del blackhole <prefix>) before deleting their associated nexthop objects.
- Avoid binding error routes such as blackhole, unreachable, or prohibit to nexthop objects on affected kernels; use direct device or gateway specifications instead.
- Limit the set of users and containers permitted to manage nexthops by tightening namespace and capability policies.
# Workaround: remove error routes before deleting their nexthop
ip route show type blackhole | awk '/nhid/ {print $2}' | \
xargs -I{} ip route del blackhole {}
ip nexthop del id <nhid>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
