| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011344-CVE-2025-71097-7cfc@gregkh> Date: Tue, 13 Jan 2026 16:35:56 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71097: ipv4: Fix reference count leak when using error routes with nexthop objects From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem. The Linux kernel CVE team has assigned CVE-2025-71097 to this issue. Affected and fixed versions =========================== Issue introduced in 5.3 with commit 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and fixed in 6.1.160 with commit 30386e090c49e803c0616a7147e43409c32a2b0e Issue introduced in 5.3 with commit 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and fixed in 6.6.120 with commit 5979338c83012110ccd45cae6517591770bfe536 Issue introduced in 5.3 with commit 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and fixed in 6.12.64 with commit ee4183501ea556dca31f5ffd8690aa9fd25b609f Issue introduced in 5.3 with commit 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and fixed in 6.18.4 with commit e3fc381320d04e4a74311e576a86cac49a16fc43 Issue introduced in 5.3 with commit 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and fixed in 6.19-rc4 with commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71097 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv4/fib_trie.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536 https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43 https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a
Powered by blists - more mailing lists