{"id":"CVE-2025-38721","summary":"netfilter: ctnetlink: fix refcount leak on table dump","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix refcount leak on table dump\n\nThere is a reference count leak in ctnetlink_dump_table():\n      if (res \u003c 0) {\n                nf_conntrack_get(&ct-\u003ect_general); // HERE\n                cb-\u003eargs[1] = (unsigned long)ct;\n                ...\n\nWhile its very unlikely, its possible that ct == last.\nIf this happens, then the refcount of ct was already incremented.\nThis 2nd increment is never undone.\n\nThis prevents the conntrack object from being released, which in turn\nkeeps prevents cnet-\u003ecount from dropping back to 0.\n\nThis will then block the netns dismantle (or conntrack rmmod) as\nnf_conntrack_cleanup_net_list() will wait forever.\n\nThis can be reproduced by running conntrack_resize.sh selftest in a loop.\nIt takes ~20 minutes for me on a preemptible kernel on average before\nI see a runaway kworker spinning in nf_conntrack_cleanup_net_list.\n\nOne fix would to change this to:\n        if (res \u003c 0) {\n\t\tif (ct != last)\n\t                nf_conntrack_get(&ct-\u003ect_general);\n\nBut this reference counting isn't needed in the first place.\nWe can just store a cookie value instead.\n\nA followup patch will do the same for ctnetlink_exp_dump_table,\nit looks to me as if this has the same problem and like\nctnetlink_dump_table, we only need a 'skip hint', not the actual\nobject so we can apply the same cookie strategy there as well.","modified":"2026-04-16T04:36:56.684821229Z","published":"2025-09-04T15:33:14.891Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03601-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3725-1","SUSE-SU-2025:3751-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38721.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/19b909a4b1452fb97e477d2f08b97f8d04095619"},{"type":"WEB","url":"https://git.kernel.org/stable/c/30cf811058552b8cd0e98dff677ef3f89d6d34ce"},{"type":"WEB","url":"https://git.kernel.org/stable/c/41462f4cfc583513833f87f9ee55d12da651a7e3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/586892e341fbf698e7cbaca293e1353957db725a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/962518c6ca9f9a13df099cafa429f72f68ad61f0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a2cb4df7872de069f809de2f076ec8e54d649fe3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a62d6aa3f31f216b637a4c71b7a8bfc7c57f049b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/de788b2e6227462b6dcd0e07474e72c089008f74"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e14f72aa66c029db106921d621edcedef68e065b"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38721.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38721"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d205dc40798d97d63ad348bfaf7394f445d152d4"},{"fixed":"586892e341fbf698e7cbaca293e1353957db725a"},{"fixed":"962518c6ca9f9a13df099cafa429f72f68ad61f0"},{"fixed":"19b909a4b1452fb97e477d2f08b97f8d04095619"},{"fixed":"41462f4cfc583513833f87f9ee55d12da651a7e3"},{"fixed":"30cf811058552b8cd0e98dff677ef3f89d6d34ce"},{"fixed":"a2cb4df7872de069f809de2f076ec8e54d649fe3"},{"fixed":"e14f72aa66c029db106921d621edcedef68e065b"},{"fixed":"a62d6aa3f31f216b637a4c71b7a8bfc7c57f049b"},{"fixed":"de788b2e6227462b6dcd0e07474e72c089008f74"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38721.json"}}],"schema_version":"1.7.5"}