CVE-2025-71097
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix reference count leak when using error routes with nexthop objects
When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop.
The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted:
ip link add name dummy1 up type dummy
ip nexthop add id 1 dev dummy1
ip route add 198.51.100.1/32 nhid 1
ip route add blackhole 198.51.100.2/32 nhid 1
ip nexthop del id 1
ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak:
ip link del dev dummy1
[ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 493ced1ac47c48bb86d9d4e8e87df8592be85a0e < 5de7ad7e18356e39e8fbf7edd185a5faaf4f385a | affected |
| Linux | Linux | 493ced1ac47c48bb86d9d4e8e87df8592be85a0e < 33ff5c207c873215e54e6176624ed57423cb7dea | affected |
| Linux | Linux | 493ced1ac47c48bb86d9d4e8e87df8592be85a0e < 30386e090c49e803c0616a7147e43409c32a2b0e | affected |
| Linux | Linux | 493ced1ac47c48bb86d9d4e8e87df8592be85a0e < 5979338c83012110ccd45cae6517591770bfe536 | affected |
| Linux | Linux | 493ced1ac47c48bb86d9d4e8e87df8592be85a0e < ee4183501ea556dca31f5ffd8690aa9fd25b609f | affected |
| Linux | Linux | 493ced1ac47c48bb86d9d4e8e87df8592be85a0e < e3fc381320d04e4a74311e576a86cac49a16fc43 | affected |
| Linux | Linux | 493ced1ac47c48bb86d9d4e8e87df8592be85a0e < ac782f4e3bfcde145b8a7f8af31d9422d94d172a | affected |
| Linux | Linux | 5.3 | affected |
| Linux | Linux | 0 < 5.3 | unaffected |
| Linux | Linux | 5.10.248 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.198 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.160 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.120 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.64 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.4 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a
- https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea
- https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e
- https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536
- https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f
- https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43
- https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.