Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71146

CVE-2025-71146: Linux Kernel Netfilter Leak Vulnerability

CVE-2025-71146 is a resource leak flaw in Linux Kernel's netfilter nf_conncount that causes connection tracking leaks in error paths. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-71146 Overview

CVE-2025-71146 is a memory leak vulnerability [CWE-401] in the Linux kernel's netfilter subsystem, specifically in the nf_conncount module used for connection tracking accounting. The flaw allows conntrack (ct) entries to leak when error paths skip the refcounted check and return immediately. A local, authenticated attacker can repeatedly trigger these error paths to exhaust kernel memory and cause a denial of service.

Critical Impact

Local attackers with low privileges can exhaust kernel memory by triggering leaked conntrack references, leading to system-wide availability loss on affected Linux hosts.

Affected Products

  • Linux Kernel (stable branches prior to fix)
  • Linux Kernel 6.12.63
  • Linux Kernel 6.18.2 and 6.19-rc1

Discovery Timeline

  • 2026-01-23 - CVE-2025-71146 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2025-71146

Vulnerability Analysis

The vulnerability resides in the nf_conncount component of the Linux netfilter framework. The module counts the number of connections matching a particular key for use by iptables and nftables connlimit rules. During normal operation, conntrack objects are reference-counted to ensure proper cleanup when no longer used.

The defect occurs in specific error paths within nf_conncount. These paths return early without invoking the refcount release logic, leaving the associated conntrack entry referenced but unreachable. Over many invocations, these orphaned references accumulate as kernel memory leaks. The issue is classified as a Missing Release of Memory after Effective Lifetime [CWE-401].

Root Cause

The root cause is incomplete cleanup handling in error branches of nf_conncount functions. The refcounted check that releases the conntrack reference is bypassed when functions return immediately on error. The upstream fix ensures the check is always called regardless of which code path executes, restoring correct reference accounting.

Attack Vector

Exploitation requires local access with low privileges on a host running an affected kernel where nf_conncount is active through connlimit rules. An attacker generates network conditions or socket operations that repeatedly trigger the vulnerable error paths. Each iteration leaks kernel memory tied to a conntrack entry. Sustained triggering exhausts system memory, leading to kernel allocation failures, degraded performance, or full denial of service. No code execution or information disclosure occurs.

No public proof-of-concept is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-71146

Indicators of Compromise

  • Unexpected growth in kernel slab allocations associated with nf_conntrack entries, visible through /proc/slabinfo.
  • Steady increase in conntrack table usage reported by conntrack -C or /proc/sys/net/netfilter/nf_conntrack_count without corresponding active connections.
  • Kernel log messages indicating nf_conntrack: table full or memory allocation failures under sustained network load.

Detection Strategies

  • Monitor kernel memory consumption trends on hosts using connlimit rules in iptables or nftables.
  • Audit installed kernel versions across the fleet and flag systems running 6.12.63, 6.18.2, or 6.19-rc1 without backported fixes.
  • Correlate process-level network activity with sudden conntrack count increases to identify abusive local workloads.

Monitoring Recommendations

  • Enable detailed slab accounting and ship metrics to a centralized observability platform for long-term trending.
  • Alert on conntrack table utilization exceeding 80 percent of nf_conntrack_max for sustained periods.
  • Track local user activity that generates heavy connection churn, especially from low-privilege accounts.

How to Mitigate CVE-2025-71146

Immediate Actions Required

  • Apply the upstream kernel patches referenced in the stable tree commits and reboot affected systems.
  • Inventory hosts running nf_conncount through connlimit rules and prioritize them for patching.
  • Restrict local shell access on multi-tenant systems until kernels are updated.

Patch Information

The fix is available in the Linux stable tree across multiple branches. See the upstream commits: Kernel Git Commit 08fa37f, Kernel Git Commit 0b88be7, Kernel Git Commit 2e2a720, Kernel Git Commit 325eb61, Kernel Git Commit 4bd2b89, Kernel Git Commit e1ac8dc, and Kernel Git Commit f381a33. The patch enforces the refcounted check in every code path within nf_conncount.

Workarounds

  • Remove or disable connlimit rules in iptables and nftables where operationally feasible until the kernel is patched.
  • Lower nf_conntrack_max cautiously and monitor for early signs of exhaustion to contain the impact window.
  • Apply distribution vendor updates as soon as backported fixes become available for long-term support kernels.
bash
# Verify whether connlimit rules are active and inspect conntrack usage
sudo iptables -S | grep -i connlimit
sudo nft list ruleset | grep -i ct_count
cat /proc/sys/net/netfilter/nf_conntrack_count
cat /proc/sys/net/netfilter/nf_conntrack_max

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.