{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21648","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.728Z","datePublished":"2025-01-19T10:18:05.700Z","dateUpdated":"2025-11-03T20:58:30.561Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:18:12.315Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: clamp maximum hashtable size to INT_MAX\n\nUse INT_MAX as maximum size for the conntrack hashtable. Otherwise, it\nis possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when\nresizing hashtable because __GFP_NOWARN is unset. See:\n\n  0708a0afe291 (\"mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls\")\n\nNote: hashtable resize is only possible from init_netns."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nf_conntrack_core.c"],"versions":[{"version":"9cc1c73ad66610bffc80b691136ffc1e9a3b1a58","lessThan":"a965f7f0ea3ae61b9165bed619d5d6da02c75f80","status":"affected","versionType":"git"},{"version":"9cc1c73ad66610bffc80b691136ffc1e9a3b1a58","lessThan":"b1b2353d768f1b80cd7fe045a70adee576b9b338","status":"affected","versionType":"git"},{"version":"9cc1c73ad66610bffc80b691136ffc1e9a3b1a58","lessThan":"5552b4fd44be3393b930434a7845d8d95a2a3c33","status":"affected","versionType":"git"},{"version":"9cc1c73ad66610bffc80b691136ffc1e9a3b1a58","lessThan":"d5807dd1328bbc86e059c5de80d1bbee9d58ca3d","status":"affected","versionType":"git"},{"version":"9cc1c73ad66610bffc80b691136ffc1e9a3b1a58","lessThan":"f559357d035877b9d0dcd273e0ff83e18e1d46aa","status":"affected","versionType":"git"},{"version":"9cc1c73ad66610bffc80b691136ffc1e9a3b1a58","lessThan":"b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nf_conntrack_core.c"],"versions":[{"version":"4.7","status":"affected"},{"version":"0","lessThan":"4.7","status":"unaffected","versionType":"semver"},{"version":"5.10.234","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.177","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.125","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.72","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.10","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"5.10.234"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"5.15.177"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.1.125"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.6.72"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.12.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a965f7f0ea3ae61b9165bed619d5d6da02c75f80"},{"url":"https://git.kernel.org/stable/c/b1b2353d768f1b80cd7fe045a70adee576b9b338"},{"url":"https://git.kernel.org/stable/c/5552b4fd44be3393b930434a7845d8d95a2a3c33"},{"url":"https://git.kernel.org/stable/c/d5807dd1328bbc86e059c5de80d1bbee9d58ca3d"},{"url":"https://git.kernel.org/stable/c/f559357d035877b9d0dcd273e0ff83e18e1d46aa"},{"url":"https://git.kernel.org/stable/c/b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13"}],"title":"netfilter: conntrack: clamp maximum hashtable size to INT_MAX","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T20:58:30.561Z"}}]}}