CVE-2025-21958
📋 TL;DR
This CVE describes a race condition in the Linux kernel's Open vSwitch conntrack module where attempting to allocate labels for confirmed conntrack entries triggers a kernel warning. The vulnerability affects Linux systems using Open vSwitch with conntrack functionality enabled. The issue was introduced by a specific commit and has been reverted to prevent kernel warnings.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel warning leading to system instability or denial of service if warnings are treated as errors in production environments.
Likely Case
Kernel warning messages in system logs without significant operational impact.
If Mitigated
No impact if the vulnerable commit is not present or the revert has been applied.
🎯 Exploit Status
This is a race condition requiring specific timing and configuration. No known active exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commit 1063ae07383c0ddc5bcce170260c143825846b03 applied
Vendor Advisory: https://git.kernel.org/stable/c/1063ae07383c0ddc5bcce170260c143825846b03
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the revert commit 1063ae07383c0ddc5bcce170260c143825846b03. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable Open vSwitch conntrack
linuxIf conntrack functionality is not required, disable it in Open vSwitch configuration
ovs-vsctl set Open_vSwitch . other_config:disable-ct=true
🧯 If You Can't Patch
- Monitor system logs for kernel warnings related to nf_ct_ext_add()
- Consider disabling Open vSwitch conntrack functionality if not required
🔍 How to Verify
Check if Vulnerable:
Check if kernel contains commit fcb1aa5163b1: 'git log --oneline | grep fcb1aa5163b1' or check kernel version against affected rangeCheck Version:
uname -rVerify Fix Applied:
Verify kernel contains revert commit 1063ae07383c0ddc5bcce170260c143825846b03: 'git log --oneline | grep 1063ae07383c0ddc5bcce170260c143825846b03'📡 Detection & Monitoring
Log Indicators:
- Kernel warning messages containing 'nf_ct_ext_add' or 'WARN_ON(nf_ct_is_confirmed(ct))'
Network Indicators:
- No specific network indicators
SIEM Query:
source="kernel" AND "nf_ct_ext_add" OR "WARN_ON(nf_ct_is_confirmed)"