CVE Catalog

CVE-2025-38732

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile - higher than 6% of all known CVEs

Summary

In the Linux kernel, a dst refcount leak was discovered for loopback packets in the netfilter nf_reject module. The issue occurs when nf_reject_fill_skb_dst attempts to replace the dst entry in a packet that already has one (e.g., loopback traffic), triggering a WARN() and potential memory leak.

Risk Assessment

The dst refcount leak can gradually exhaust kernel memory, especially under heavy loopback traffic (e.g., local tests or applications using localhost). This may lead to system instability or denial of service (DoS) for network-dependent processes.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit addressing the issue). If an update is not possible, restrict loopback traffic via netfilter rules or monitor kernel memory usage for anomalies.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline] WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234 [..] Call Trace: nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325 nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27 expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline] .. This is because blamed commit forgot about loopback packets. Such packets already have a dst_entry attached, even at PRE_ROUTING stage. Instead of checking hook just check if the skb already has a route attached to it.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS