Linux Kernel Netfilter Expectation Management Vulnerability

Vulnerability

A vulnerability in the Linux kernel's netfilter component has been addressed, concerning the management of connection tracking expectations. The issue arose because the function 'nf_conntrack_in()' would remove expectations from the hash table when calling 'nf_ct_find_expectation()'. However, in certain scenarios, such as with Open vSwitch (OVS) and Traffic Control (TC) connection tracking, it was expected that the expectation should remain intact, especially when the created connection tracking would not be confirmed. The recent patch modifies this behavior by allowing expectations to be retained by setting the 'IPS_CONFIRMED' status in the template.

Impact

The vulnerability could lead to improper management of connection tracking expectations, potentially causing issues in network traffic handling and processing.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel Netfilter Expectation Management Vulnerability

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating