{"id":"CVE-2025-71097","summary":"ipv4: Fix reference count leak when using error routes with nexthop objects","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix reference count leak when using error routes with nexthop objects\n\nWhen a nexthop object is deleted, it is marked as dead and then\nfib_table_flush() is called to flush all the routes that are using the\ndead nexthop.\n\nThe current logic in fib_table_flush() is to only flush error routes\n(e.g., blackhole) when it is called as part of network namespace\ndismantle (i.e., with flush_all=true). Therefore, error routes are not\nflushed when their nexthop object is deleted:\n\n # ip link add name dummy1 up type dummy\n # ip nexthop add id 1 dev dummy1\n # ip route add 198.51.100.1/32 nhid 1\n # ip route add blackhole 198.51.100.2/32 nhid 1\n # ip nexthop del id 1\n # ip route show\n blackhole 198.51.100.2 nhid 1 dev dummy1\n\nAs such, they keep holding a reference on the nexthop object which in\nturn holds a reference on the nexthop device, resulting in a reference\ncount leak:\n\n # ip link del dev dummy1\n [   70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2\n\nFix by flushing error routes when their nexthop is marked as dead.\n\nIPv6 does not suffer from this problem.","modified":"2026-04-16T04:33:27.247247870Z","published":"2026-01-13T15:34:56.814Z","related":["SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71097.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71097.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71097"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"493ced1ac47c48bb86d9d4e8e87df8592be85a0e"},{"fixed":"5de7ad7e18356e39e8fbf7edd185a5faaf4f385a"},{"fixed":"33ff5c207c873215e54e6176624ed57423cb7dea"},{"fixed":"30386e090c49e803c0616a7147e43409c32a2b0e"},{"fixed":"5979338c83012110ccd45cae6517591770bfe536"},{"fixed":"ee4183501ea556dca31f5ffd8690aa9fd25b609f"},{"fixed":"e3fc381320d04e4a74311e576a86cac49a16fc43"},{"fixed":"ac782f4e3bfcde145b8a7f8af31d9422d94d172a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71097.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.3.0"},{"fixed":"5.10.248"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71097.json"}}],"schema_version":"1.7.5"}