CVE-2025-38201

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX

Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset.

Similar to:

b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX")

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3c4287f62044a90e73a561aa05fc46e62da173da < 1fe27f97944017a9d3c5af4d6d95282bff0f1147affected
LinuxLinux3c4287f62044a90e73a561aa05fc46e62da173da < 4abccfb61f422300be014b8e734c63344306f009affected
LinuxLinux3c4287f62044a90e73a561aa05fc46e62da173da < 80417057ac60dd80f4816eb426e4e4a5bf696534affected
LinuxLinux3c4287f62044a90e73a561aa05fc46e62da173da < df524a68d9021c1401965d610bb6e42ee5d9611eaffected
LinuxLinux3c4287f62044a90e73a561aa05fc46e62da173da < 0ab3de047808f375a36cd345225572eb3366f3c6affected
LinuxLinux3c4287f62044a90e73a561aa05fc46e62da173da < d2768016f091f8a5264076b433fd7c3fabb6eb97affected
LinuxLinux3c4287f62044a90e73a561aa05fc46e62da173da < b85e3367a5716ed3662a4fe266525190d2af76dfaffected
LinuxLinux5.6affected
LinuxLinux0 < 5.6unaffected
LinuxLinux5.10.250 <= 5.10.*unaffected
LinuxLinux5.15.200 <= 5.15.*unaffected
LinuxLinux6.1.163 <= 6.1.*unaffected
LinuxLinux6.6.124 <= 6.6.*unaffected
LinuxLinux6.12.35 <= 6.12.*unaffected
LinuxLinux6.15.4 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

References