Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: clamp maximum hashtable size to INT_MAX Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. See: 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls") Note: hashtable resize is only possible from init_netns.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 4.7.1, < 5.10.234 |
References
- https://git.kernel.org/stable/c/5552b4fd44be3393b930434a7845d8d95a2a3c33Patch
- https://git.kernel.org/stable/c/a965f7f0ea3ae61b9165bed619d5d6da02c75f80Patch
- https://git.kernel.org/stable/c/b1b2353d768f1b80cd7fe045a70adee576b9b338Patch
- https://git.kernel.org/stable/c/b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13Patch
- https://git.kernel.org/stable/c/d5807dd1328bbc86e059c5de80d1bbee9d58ca3dPatch
- https://git.kernel.org/stable/c/f559357d035877b9d0dcd273e0ff83e18e1d46aaPatch
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
FAQ
What is CVE-2025-21648?
CVE-2025-21648 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: clamp maximum hashtable size to INT_MAX Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, ...
How severe is CVE-2025-21648?
CVE-2025-21648 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-21648?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.