Linux Kernel Netfilter nf_conncount Connection Cleanup Limit Increase Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the nf_conncount module, has been addressed. This issue arose after an optimization that reduced garbage collection (GC) frequency, which inadvertently caused connection tracking to exceed the cleanup capacity. The vulnerability could lead to improper management of connection data, potentially disrupting network operations.

Impact

The vulnerability could cause connection tracking lists to become overloaded, leading to improper management of network connections. This could disrupt services relying on accurate connection tracking, potentially causing performance issues or service unavailability.

Reproduction

The vulnerability can be reproduced by configuring an Open vSwitch (OVS) connection limit and using a performance tool like 'slowhttptest' to simulate a high volume of connections. This setup will demonstrate how the connection tracking list can become overloaded, as the garbage collection process fails to keep up with the influx of new connections.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux kernel documentation.