CVE-2025-21648
📋 TL;DR
This vulnerability in the Linux kernel's netfilter conntrack module allows an attacker to trigger a kernel warning by attempting to resize the connection tracking hashtable beyond INT_MAX entries. This affects Linux systems using netfilter conntrack functionality, primarily those with custom configurations or exposed to malicious network traffic. The issue is limited to the initial network namespace (init_netns).
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Triggering a kernel warning that could lead to system instability, denial of service, or kernel panic in sensitive environments.
Likely Case
Kernel warning messages in logs with minimal operational impact for most systems.
If Mitigated
No impact if hashtable size is properly configured or if the system is not exposed to malicious traffic.
🎯 Exploit Status
Exploitation requires specific conditions: ability to trigger hashtable resize in init_netns with oversized parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 5552b4fd44be3393b930434a7845d8d95a2a3c33, a965f7f0ea3ae61b9165bed619d5d6da02c75f80, b1b2353d768f1b80cd7fe045a70adee576b9b338, b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13, d5807dd1328bbc86e059c5de80d1bbee9d58ca3d
Vendor Advisory: https://git.kernel.org/stable/c/5552b4fd44be3393b930434a7845d8d95a2a3c33
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Reboot system. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Limit conntrack hashtable size
linuxPrevent hashtable resize beyond safe limits by configuring maximum size.
sysctl -w net.netfilter.nf_conntrack_max=INT_MAX
🧯 If You Can't Patch
- Monitor system logs for kernel warnings related to conntrack or kvmalloc
- Restrict network access to systems to prevent malicious traffic triggering the condition
🔍 How to Verify
Check if Vulnerable:
Check kernel version against known vulnerable ranges; examine if conntrack is configured with large hashtable sizes.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits; check that conntrack hashtable operations don't trigger warnings.📡 Detection & Monitoring
Log Indicators:
- Kernel warning messages containing 'WARN_ON_ONCE', '__kvmalloc_node_noprof', or 'conntrack'
Network Indicators:
- Unusual network traffic patterns attempting to create excessive connections
SIEM Query:
source="kernel" AND ("WARN_ON_ONCE" OR "conntrack" OR "kvmalloc")🔗 References
- https://git.kernel.org/stable/c/5552b4fd44be3393b930434a7845d8d95a2a3c33
- https://git.kernel.org/stable/c/a965f7f0ea3ae61b9165bed619d5d6da02c75f80
- https://git.kernel.org/stable/c/b1b2353d768f1b80cd7fe045a70adee576b9b338
- https://git.kernel.org/stable/c/b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13
- https://git.kernel.org/stable/c/d5807dd1328bbc86e059c5de80d1bbee9d58ca3d
- https://git.kernel.org/stable/c/f559357d035877b9d0dcd273e0ff83e18e1d46aa
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
