Login Sign Up

CVE-2025-71146

5.5 MEDIUM
Denial of Service

📋 TL;DR

This Linux kernel vulnerability in the netfilter connection tracking subsystem can cause connection tracking entries to be leaked when error conditions occur. This affects all Linux systems using netfilter (including iptables/nftables) for firewall or NAT functionality. The leaked connections can lead to resource exhaustion and system instability.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not specified in CVE, but references indicate multiple stable kernel versions are impacted
Operating Systems: All Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using netfilter connection tracking (common in firewalls, NAT gateways, and many network services)

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Resource exhaustion leading to kernel panic or denial of service, potentially causing system crashes and service disruption.

🟠

Likely Case

Gradual memory/connection table exhaustion causing degraded network performance, connection failures, and potential system instability.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place, though still represents a resource leak.

🌐 Internet-Facing: MEDIUM - Systems exposed to network traffic are more likely to trigger the error conditions that cause the leak.
🏢 Internal Only: LOW - Internal systems with controlled traffic patterns are less likely to encounter the specific error paths.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires triggering specific error conditions in netfilter connection tracking, which may require network traffic manipulation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 08fa37f4c8c59c294e9c18fea2d083ee94074e5a, 0b88be7211d21a0d68bb1e56dc805944e3654d6f, 2e2a720766886190a6d35c116794693aabd332b6, 325eb61bb30790ea27782203a17b007ce1754a67, 4bd2b89f4028f250dd1c1625eb3da1979b04a5e8

Vendor Advisory: https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Limit connection tracking table size

linux

Reduce maximum connection tracking entries to limit impact of potential leaks

sysctl -w net.netfilter.nf_conntrack_max=65536
sysctl -w net.netfilter.nf_conntrack_buckets=16384

Monitor connection tracking usage

linux

Implement monitoring to detect abnormal connection tracking growth

watch -n 60 'cat /proc/sys/net/netfilter/nf_conntrack_count'

🧯 If You Can't Patch

  • Implement aggressive monitoring of connection tracking table usage and set up alerts for abnormal growth
  • Consider implementing rate limiting or traffic filtering to reduce load on connection tracking subsystem

🔍 How to Verify

Check if Vulnerable:

Check if kernel version is before the patched commits. Use: uname -r and compare with distribution's patched kernel versions.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update matches patched version from your distribution. Check for presence of the fix commits in kernel source.

📡 Detection & Monitoring

Log Indicators:

  • Kernel logs showing connection tracking table full errors
  • System logs showing memory pressure or OOM conditions

Network Indicators:

  • Increasing connection failures over time
  • Degraded network performance

SIEM Query:

source="kernel" AND ("nf_conntrack" OR "connection tracking") AND ("full" OR "error" OR "leak")

📊 Metadata

CVE ID: CVE-2025-71146
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-401
EPSS Score: 0.03% exploit probability (8.9th percentile)
Published: January 23, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-71146, you might also want to check these:

CVE-2021-40633 8.8

CVE-2021-40633 is a memory leak vulnerability in gif2rgb, a utility in giflib 5.1.4, allowing remote...

Same vulnerability type (CWE-401)
CVE-2021-3492 8.8

CVE-2021-3492 is a kernel vulnerability in Ubuntu's Shiftfs filesystem where improper error handling...

Same vulnerability type (CWE-401)
CVE-2024-25450 8.8

CVE-2024-25450 is a memory allocation vulnerability in imlib2 v1.9.1's init_imlib_fonts() function t...

Same vulnerability type (CWE-401)