Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71160

CVE-2025-71160: Linux Kernel Netfilter DoS Vulnerability

CVE-2025-71160 is a denial of service flaw in the Linux kernel's netfilter nf_tables component that causes CPU soft lockups during chain validation. This article covers technical details, affected versions, and mitigation.

Published: January 30, 2026

CVE-2025-71160 Overview

A denial of service vulnerability exists in the Linux kernel's netfilter subsystem, specifically within the nf_tables module. The vulnerability occurs during chain validation in nft_chain_validate(), where CPU soft lock-ups can be triggered due to inefficient traversal of chain graphs during table validation. When processing complex rule sets with multiple chain jumps, the kernel fails to optimize revalidation of previously checked chains, leading to excessive CPU consumption and system hangs.

Critical Impact

Exploitation of this vulnerability can cause CPU soft lock-ups lasting 27 seconds or more, effectively causing denial of service conditions on affected Linux systems running netfilter/nf_tables for packet filtering.

Affected Products

  • Linux Kernel with nf_tables module enabled
  • Systems using iptables-nft for firewall management
  • Linux distributions with netfilter framework

Discovery Timeline

  • 2026-01-23 - CVE CVE-2025-71160 published to NVD
  • 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-71160

Vulnerability Analysis

This vulnerability resides in the netfilter nf_tables chain validation logic within the Linux kernel. The nft_chain_validate() function is responsible for traversing the entire table (chain graph), starting from entry points (base chains) and exploring all possible paths through chain jumps. The vulnerability stems from the lack of optimization to avoid redundant revalidation of chains that have already been verified.

The call stack captured during the soft lockup reveals a recursive pattern between nft_chain_validate() and nft_immediate_validate(), indicating that the same chains are being validated multiple times unnecessarily. This excessive revalidation consumes significant CPU resources, eventually triggering the kernel's watchdog mechanism to report a soft lockup condition.

The fix addresses this by implementing logic to skip revalidation when possible, while maintaining necessary security checks. The optimization must still account for:

  1. Jump stack depth validation - Ensuring chain loops don't exceed the allowed jump stack size
  2. Base chain context tracking - Recording the base chain type and hooknum to ensure expressions are only called from valid contexts (e.g., masquerade expressions should only be called from NAT postrouting base chains)

Root Cause

The root cause is the absence of memoization or caching during chain graph traversal in nft_table_validate(). When multiple rules reference the same chain jump targets, the validation code revalidates those chains from scratch each time they are encountered in the traversal path. This creates an algorithmic complexity issue where validation time grows exponentially with the number of rules and chain interconnections.

Consider the example from the vulnerability report where three rules reference overlapping chain paths:

  • Rule 1: input -> j2 -> j3
  • Rule 2: input -> j2 -> j3
  • Rule 3: input -> j1 -> j2 -> j3

Without optimization, chains j2 and j3 would be validated multiple times unnecessarily for Rules 1 and 2, when only Rule 3 requires fresh validation due to the increased call depth from the additional j1 jump.

Attack Vector

The vulnerability can be triggered by a local user with sufficient privileges to configure netfilter rules (typically requiring CAP_NET_ADMIN capability). An attacker could craft a malicious ruleset with complex chain jump patterns that maximize the revalidation overhead, causing sustained CPU soft lockups during the nf_tables_commit() operation.

The attack leverages the kernel's table validation mechanism that occurs during rule commits, making it possible to repeatedly trigger the condition by modifying firewall rules programmatically through iptables-nft or similar tools.

Detection Methods for CVE-2025-71160

Indicators of Compromise

  • Kernel watchdog messages indicating soft lockups on CPUs running iptables-nft processes
  • System log entries showing BUG: soft lockup - CPU#X stuck for Ys! with stack traces referencing nft_chain_validate
  • High CPU utilization in kernel space correlating with netfilter rule modifications
  • Processes stuck in uninterruptible sleep state during firewall configuration changes

Detection Strategies

  • Monitor system logs for soft lockup warnings mentioning nf_tables or nft_chain_validate in the call stack
  • Implement auditd rules to track netfilter configuration changes via iptables-nft or nft commands
  • Deploy kernel tracing (ftrace/eBPF) to monitor excessive time spent in nft_chain_validate() function
  • Configure alerts for abnormal CPU utilization patterns during firewall rule updates

Monitoring Recommendations

  • Enable kernel watchdog monitoring and alert on soft lockup events
  • Monitor /var/log/kern.log or journal for netfilter-related kernel messages
  • Track netfilter rule complexity metrics including chain count and jump depth
  • Implement rate limiting on firewall rule modifications in production environments

How to Mitigate CVE-2025-71160

Immediate Actions Required

  • Apply the latest kernel security patches that include the fix for this vulnerability
  • Limit CAP_NET_ADMIN capability to trusted users and processes only
  • Review existing firewall rulesets to minimize unnecessary chain complexity
  • Consider implementing firewall rule change controls in multi-tenant environments

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix implements optimization logic to avoid unnecessary chain revalidation while maintaining proper security checks for jump stack depth and base chain context validation. The following commits contain the relevant fixes:

  • Kernel Git Commit - Fix
  • Kernel Git Commit - Update
  • Kernel Git Commit - Merge
  • Kernel Git Commit - Change

System administrators should update to a kernel version that includes these commits or apply vendor-specific security patches.

Workarounds

  • Restrict access to netfilter configuration utilities to minimize attack surface
  • Implement resource limits and timeouts for firewall rule processing operations
  • Consider using iptables-legacy instead of iptables-nft on affected systems until patches can be applied
  • Segment high-risk firewall management operations to dedicated administrative systems
bash
# Configuration example
# Limit CAP_NET_ADMIN capability to reduce attack surface
# Check which processes have CAP_NET_ADMIN
getpcaps $(pgrep -x iptables-nft)

# Restrict netfilter administration to specific users via sudo
# Add to /etc/sudoers.d/netfilter
# %netfilter-admins ALL=(root) /usr/sbin/iptables, /usr/sbin/nft

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit - Fix
  • Kernel Git Commit - Update
  • Kernel Git Commit - Merge
  • Kernel Git Commit - Change
  • Related CVEs
  • CVE-2026-31465: Linux Kernel Writeback DoS Vulnerability
  • CVE-2026-31472: Linux Kernel IPTFS DoS Vulnerability
  • CVE-2026-31451: Linux Kernel ext4 DOS Vulnerability
  • CVE-2026-31448: Linux Kernel ext4 DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English