Linux Kernel Reference Count Leak Vulnerability in Nexthop Error Routes

A reference count leak vulnerability has been identified in the Linux kernel's IPv4 routing management. This issue arises when a nexthop object is deleted, as the associated error routes (such as blackhole routes) are not properly flushed. The problem occurs because the current logic only removes error routes during a network namespace dismantle. As a result, deleted nexthop objects continue to hold references, leading to a count leak that can cause network devices to remain in use longer than necessary.

Impact

Exploitation of this vulnerability causes a reference count leak, which can lead to increased resource usage and potential denial of service by causing network devices to remain in use longer than necessary.

Reproduction

The vulnerability can be reproduced by creating a nexthop object and adding both a regular route and an error route (blackhole) that use this nexthop. After deleting the nexthop object, the blackhole route can still be queried, indicating that it has not been flushed. This failure to flush the error route when the nexthop is deleted creates a reference count leak, which can be observed by attempting to delete the network device used for the nexthop, as the device will still be reported as in use.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.