Linux Kernel Netfilter Conntrack Garbage Collection Autotuning Vulnerability

A vulnerability in the Linux kernel's netfilter connection tracking (conntrack) system has been addressed. The issue arose because the garbage collection (GC) for conntrack entries was changed to run every two minutes. On systems with a large conntrack hash table, most evictions occurred during GC rather than through normal packet processing. This shift caused netlink event overflows when events were collected. The vulnerability has been resolved by modifying the GC process to collect the average expiry of scanned entries and reschedule the GC to the average remaining time, within a 1 to 60 second interval. To prevent event overflows, the GC now reschedules after processing each hash table bucket and imposes a limit on both the runtime and the number of evictions per cycle. If additional entries need to be evicted, the GC can reschedule and restart after a short delay.

Impact

The vulnerability could lead to netlink event overflows, causing disruptions in event handling and potentially overwhelming the netlink socket with excessive events.