CVE-2025-21959: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal"), count_tree() was split and the relevant allocation code now resides in insert_tree(). Initialize `conn->cpu` and `conn->jiffies32` in insert_tree(). BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline] BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 find_or_evict net/netfilter/nf_conncount.c:117 [inline] __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 count_tree net/netfilter/nf_conncount.c:438 [inline] nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 __netif_receive_skb_list net/core/dev.c:6035 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171 insert_tree net/netfilter/nf_conncount.c:372 [inline] count_tree net/netfilter/nf_conncount.c:450 [inline] nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ip ---truncated---
AI Analysis
Technical Summary
CVE-2025-21959 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nf_conncount module responsible for connection counting and limiting. The issue arises from incomplete initialization of the nf_conncount_tuple structure in the insert_tree() function. While previous commits introduced new fields (`cpu` and `jiffies32`) to this structure and ensured their initialization during allocation in nf_conncount_add(), the insert_tree() function failed to initialize these fields properly. This leads to the use of uninitialized memory values during connection counting operations, as detected by Kernel Memory Sanitizer (KMSAN) reports indicating uninitialized value usage in functions such as find_or_evict, __nf_conncount_add, and count_tree. The vulnerability is rooted in a race condition and memory initialization oversight introduced after splitting the count_tree() function and moving allocation code to insert_tree(). Although no known exploits are reported in the wild, the flaw could potentially cause kernel instability, unpredictable behavior, or denial of service due to corrupted connection tracking data structures. The vulnerability affects Linux kernel versions containing the specified commits, which are part of the netfilter nf_conncount codebase. Since netfilter is widely used for packet filtering, firewalling, and connection limiting in Linux-based systems, this vulnerability could impact a broad range of devices and servers running vulnerable kernel versions.
Potential Impact
For European organizations, the impact of CVE-2025-21959 could be significant, especially for those relying on Linux-based infrastructure for networking, firewalls, and security appliances. The vulnerability could lead to kernel crashes or denial of service conditions, disrupting critical network services and potentially exposing systems to further attacks if attackers exploit the instability to bypass security controls. Organizations operating data centers, cloud services, telecommunications infrastructure, or critical national infrastructure that use Linux kernels with netfilter for connection tracking and limiting may experience service outages or degraded network security. The flaw does not directly indicate privilege escalation or remote code execution, but the instability and potential denial of service could have cascading effects on availability and operational continuity. Given the widespread deployment of Linux in European enterprises and public sector networks, timely patching is essential to maintain network reliability and security posture.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Identify all Linux systems running affected kernel versions containing the vulnerable nf_conncount code. 2) Apply the official Linux kernel patches that fully initialize the nf_conncount_tuple structure in insert_tree(), ensuring no uninitialized memory is used. Since patch links are not provided, organizations should monitor official Linux kernel repositories and distributions for updates addressing CVE-2025-21959. 3) For systems where immediate patching is not feasible, consider temporarily disabling or limiting the use of connection counting features in netfilter (e.g., disabling xt_connlimit or nftables rules relying on nf_conncount) to reduce exposure. 4) Implement enhanced kernel memory sanitization and monitoring to detect anomalous kernel behavior or crashes related to netfilter operations. 5) Coordinate with Linux distribution vendors to prioritize backporting and distributing security updates. 6) Conduct thorough testing of patched kernels in staging environments before deployment to avoid regressions. 7) Maintain up-to-date incident response plans to quickly address any exploitation attempts or service disruptions related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21959: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal"), count_tree() was split and the relevant allocation code now resides in insert_tree(). Initialize `conn->cpu` and `conn->jiffies32` in insert_tree(). BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline] BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 find_or_evict net/netfilter/nf_conncount.c:117 [inline] __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 count_tree net/netfilter/nf_conncount.c:438 [inline] nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 __netif_receive_skb_list net/core/dev.c:6035 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171 insert_tree net/netfilter/nf_conncount.c:372 [inline] count_tree net/netfilter/nf_conncount.c:450 [inline] nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ip ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21959 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nf_conncount module responsible for connection counting and limiting. The issue arises from incomplete initialization of the nf_conncount_tuple structure in the insert_tree() function. While previous commits introduced new fields (`cpu` and `jiffies32`) to this structure and ensured their initialization during allocation in nf_conncount_add(), the insert_tree() function failed to initialize these fields properly. This leads to the use of uninitialized memory values during connection counting operations, as detected by Kernel Memory Sanitizer (KMSAN) reports indicating uninitialized value usage in functions such as find_or_evict, __nf_conncount_add, and count_tree. The vulnerability is rooted in a race condition and memory initialization oversight introduced after splitting the count_tree() function and moving allocation code to insert_tree(). Although no known exploits are reported in the wild, the flaw could potentially cause kernel instability, unpredictable behavior, or denial of service due to corrupted connection tracking data structures. The vulnerability affects Linux kernel versions containing the specified commits, which are part of the netfilter nf_conncount codebase. Since netfilter is widely used for packet filtering, firewalling, and connection limiting in Linux-based systems, this vulnerability could impact a broad range of devices and servers running vulnerable kernel versions.
Potential Impact
For European organizations, the impact of CVE-2025-21959 could be significant, especially for those relying on Linux-based infrastructure for networking, firewalls, and security appliances. The vulnerability could lead to kernel crashes or denial of service conditions, disrupting critical network services and potentially exposing systems to further attacks if attackers exploit the instability to bypass security controls. Organizations operating data centers, cloud services, telecommunications infrastructure, or critical national infrastructure that use Linux kernels with netfilter for connection tracking and limiting may experience service outages or degraded network security. The flaw does not directly indicate privilege escalation or remote code execution, but the instability and potential denial of service could have cascading effects on availability and operational continuity. Given the widespread deployment of Linux in European enterprises and public sector networks, timely patching is essential to maintain network reliability and security posture.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Identify all Linux systems running affected kernel versions containing the vulnerable nf_conncount code. 2) Apply the official Linux kernel patches that fully initialize the nf_conncount_tuple structure in insert_tree(), ensuring no uninitialized memory is used. Since patch links are not provided, organizations should monitor official Linux kernel repositories and distributions for updates addressing CVE-2025-21959. 3) For systems where immediate patching is not feasible, consider temporarily disabling or limiting the use of connection counting features in netfilter (e.g., disabling xt_connlimit or nftables rules relying on nf_conncount) to reduce exposure. 4) Implement enhanced kernel memory sanitization and monitoring to detect anomalous kernel behavior or crashes related to netfilter operations. 5) Coordinate with Linux distribution vendors to prioritize backporting and distributing security updates. 6) Conduct thorough testing of patched kernels in staging environments before deployment to avoid regressions. 7) Maintain up-to-date incident response plans to quickly address any exploitation attempts or service disruptions related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.793Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd3c2
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 11:43:16 PM
Last updated: 8/14/2025, 6:41:27 PM
Views: 16
Related Threats
CVE-2025-9013: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9012: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9011: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.