{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-71097","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:30:19.650Z","datePublished":"2026-01-13T15:34:56.814Z","dateUpdated":"2026-05-11T21:54:41.289Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:54:41.289Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix reference count leak when using error routes with nexthop objects\n\nWhen a nexthop object is deleted, it is marked as dead and then\nfib_table_flush() is called to flush all the routes that are using the\ndead nexthop.\n\nThe current logic in fib_table_flush() is to only flush error routes\n(e.g., blackhole) when it is called as part of network namespace\ndismantle (i.e., with flush_all=true). Therefore, error routes are not\nflushed when their nexthop object is deleted:\n\n # ip link add name dummy1 up type dummy\n # ip nexthop add id 1 dev dummy1\n # ip route add 198.51.100.1/32 nhid 1\n # ip route add blackhole 198.51.100.2/32 nhid 1\n # ip nexthop del id 1\n # ip route show\n blackhole 198.51.100.2 nhid 1 dev dummy1\n\nAs such, they keep holding a reference on the nexthop object which in\nturn holds a reference on the nexthop device, resulting in a reference\ncount leak:\n\n # ip link del dev dummy1\n [   70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2\n\nFix by flushing error routes when their nexthop is marked as dead.\n\nIPv6 does not suffer from this problem."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/fib_trie.c"],"versions":[{"version":"493ced1ac47c48bb86d9d4e8e87df8592be85a0e","lessThan":"5de7ad7e18356e39e8fbf7edd185a5faaf4f385a","status":"affected","versionType":"git"},{"version":"493ced1ac47c48bb86d9d4e8e87df8592be85a0e","lessThan":"33ff5c207c873215e54e6176624ed57423cb7dea","status":"affected","versionType":"git"},{"version":"493ced1ac47c48bb86d9d4e8e87df8592be85a0e","lessThan":"30386e090c49e803c0616a7147e43409c32a2b0e","status":"affected","versionType":"git"},{"version":"493ced1ac47c48bb86d9d4e8e87df8592be85a0e","lessThan":"5979338c83012110ccd45cae6517591770bfe536","status":"affected","versionType":"git"},{"version":"493ced1ac47c48bb86d9d4e8e87df8592be85a0e","lessThan":"ee4183501ea556dca31f5ffd8690aa9fd25b609f","status":"affected","versionType":"git"},{"version":"493ced1ac47c48bb86d9d4e8e87df8592be85a0e","lessThan":"e3fc381320d04e4a74311e576a86cac49a16fc43","status":"affected","versionType":"git"},{"version":"493ced1ac47c48bb86d9d4e8e87df8592be85a0e","lessThan":"ac782f4e3bfcde145b8a7f8af31d9422d94d172a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/fib_trie.c"],"versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","status":"unaffected","versionType":"semver"},{"version":"5.10.248","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.198","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.160","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.64","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.4","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.10.248"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.15.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.1.160"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.6.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.12.64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.18.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a"},{"url":"https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea"},{"url":"https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e"},{"url":"https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536"},{"url":"https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f"},{"url":"https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43"},{"url":"https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a"}],"title":"ipv4: Fix reference count leak when using error routes with nexthop objects","x_generator":{"engine":"bippy-1.2.0"}}}}