Bug 2394639 (CVE-2025-39764)

Summary: CVE-2025-39764 kernel: Linux kernel: Denial of Service via double-increment of reference count in netfilter
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel, specifically within the netfilter: ctnetlink component. A local user could exploit a vulnerability where a reference count is incorrectly incremented twice in the expectation dumpers. This double-increment leads to a memory leak. The continuous leakage of memory can ultimately cause a Denial of Service (DoS) on the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-09-11 17:04:07 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: remove refcounting in expectation dumpers

Same pattern as previous patch: do not keep the expectation object
alive via refcount, only store a cookie value and then use that
as the skip hint for dump resumption.

AFAICS this has the same issue as the one resolved in the conntrack
dumper, when we do
  if (!refcount_inc_not_zero(&exp->use))

to increment the refcount, there is a chance that exp == last, which
causes a double-increment of the refcount and subsequent memory leak.
Comment 1 Jon Moroney 2025-09-11 18:54:35 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091147-CVE-2025-39764-b300@gregkh/T