CVE-2025-21648

netfilter: conntrack: clamp maximum hashtable size to INT_MAX

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: clamp maximum hashtable size to INT_MAX Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. See: 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls") Note: hashtable resize is only possible from init_netns.

N/A
CVSS
Severity:
EPSS 0.09%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/a965f7f0ea3ae61b9165bed619d5d6da02c75f80
https://git.kernel.org/stable/c/b1b2353d768f1b80cd7fe045a70adee576b9b338
https://git.kernel.org/stable/c/5552b4fd44be3393b930434a7845d8d95a2a3c33
https://git.kernel.org/stable/c/d5807dd1328bbc86e059c5de80d1bbee9d58ca3d
https://git.kernel.org/stable/c/f559357d035877b9d0dcd273e0ff83e18e1d46aa
https://git.kernel.org/stable/c/b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13

Frequently Asked Questions

What is the severity of CVE-2025-21648?
CVE-2025-21648 has not yet been assigned a CVSS score.
How to fix CVE-2025-21648?
To fix CVE-2025-21648, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-21648 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-21648 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-21648?
CVE-2025-21648 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.