CVE-2025-37997

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: fix region locking in hash types

Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5dd9488ae41070b69d2f4acb580f77db5705f9ca < 00cfc5fad1491796942a948808afb968a0a3f35baffected
LinuxLinuxf66ee0410b1c3481ee75e5db9b34547b4d582465 < 226ce0ec38316d9e3739e73a64b6b8304646c658affected
LinuxLinuxf66ee0410b1c3481ee75e5db9b34547b4d582465 < 82c1eb32693bc48251d92532975e19160987e5b9affected
LinuxLinuxf66ee0410b1c3481ee75e5db9b34547b4d582465 < aa77294b0f73bb8265987591460cd25b8722c3dfaffected
LinuxLinuxf66ee0410b1c3481ee75e5db9b34547b4d582465 < a3dfec485401943e315c394c29afe2db8f9481d6affected
LinuxLinuxf66ee0410b1c3481ee75e5db9b34547b4d582465 < e2ab67672b2288521a6146034a971f9a82ffc5c5affected
LinuxLinuxf66ee0410b1c3481ee75e5db9b34547b4d582465 < 6e002ecc1c8cfdfc866b9104ab7888da54613e59affected
LinuxLinuxf66ee0410b1c3481ee75e5db9b34547b4d582465 < 8478a729c0462273188263136880480729e9efcaaffected
LinuxLinuxa469bab3386aebff33c59506f3a95e35b91118fdaffected
LinuxLinux5.4.24 < 5.4.294affected
LinuxLinux5.5.8 < 5.6affected
LinuxLinux5.6affected
LinuxLinux0 < 5.6unaffected
LinuxLinux5.4.294 <= 5.4.*unaffected
LinuxLinux5.10.238 <= 5.10.*unaffected
LinuxLinux5.15.183 <= 5.15.*unaffected
LinuxLinux6.1.139 <= 6.1.*unaffected
LinuxLinux6.6.91 <= 6.6.*unaffected
LinuxLinux6.12.29 <= 6.12.*unaffected
LinuxLinux6.14.7 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References