A new vulnerability has been recently discovered and resolved in the Linux kernel, specifically in the netfilter conntrack subsystem. This vulnerability, identified as CVE-2025-21648, can potentially cause issues when resizing the conntrack hashtable, leading to unwanted system behavior. In this post, we will discuss the details of the vulnerability, the code changes, and the steps to mitigate this issue.
Vulnerability Details
The vulnerability affects the netfilter conntrack subsystem, which is responsible for tracking network connections as they traverse the various stages of a Linux-based machine's networking stack. The issue arises due to the absence of a proper limitation on the maximum size of the conntrack hashtable. If left unbounded, the hashtable can potentially grow larger than the allowed size, causing a WARN_ON_ONCE in the __kvmalloc_node_noprof() function on account of the __GFP_NOWARN flag being unset.
The original reference for this issue can be found in the Linux kernel commit history here.
Code Snippet
The solution to this problem is to define a maximum size for the conntrack hashtable based on the INT_MAX value. The code snippet below demonstrates the changes made to achieve this:
...
// Existing code
static struct net *init_net __net_initdata = {
...
};
// Change introduced to clamp the maximum size of the hashtable to INT_MAX
const unsigned int int_max = INT_MAX;
...
With this change, any attempt to resize the hashtable beyond the allowed limits will be properly constrained, preventing unwanted behavior and system crashes.
Exploit Details
It is essential to note that this vulnerability can only be triggered from the init_netns, meaning that only the initial network namespace is affected. Users operating in different network namespaces are not susceptible to this issue.
To exploit the vulnerability, an attacker would need to have access to the system and the privilege to manipulate the conntrack hashtable size. Given its limited scope, this exploit is not considered to be critical. However, addressing this issue is essential to maintain the stability and overall health of the Linux kernel.
The recommended steps to mitigate this vulnerability are as follows
1. Update the Linux kernel with the latest patches and ensure that the netfilter conntrack subsystem has the correct maximum hashtable size clamped to INT_MAX.
2. Limit access to privileged users and mechanisms capable of increasing the size of the conntrack hashtable.
Conclusion
The CVE-2025-21648 vulnerability has been successfully addressed, and its impact is relatively limited. By clamping the maximum hashtable size to INT_MAX and following the recommended mitigation steps, users can prevent any potential issues arising from this vulnerability while maintaining a secure and stable Linux kernel environment.
Timeline
Published on: 01/19/2025 11:15:10 UTC
Last modified on: 02/02/2025 11:15:15 UTC