Bug 2356638 (CVE-2025-21958) - CVE-2025-21958 kernel: Revert "openvswitch: switch to per-action label counting in conntrack"
Summary: CVE-2025-21958 kernel: Revert "openvswitch: switch to per-action label counti...
Keywords:
Status: NEW
Alias: CVE-2025-21958
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-01 16:03 UTC by OSIDB Bzimport
Modified: 2025-04-02 04:51 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-04-01 16:03:51 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Revert "openvswitch: switch to per-action label counting in conntrack"

Currently, ovs_ct_set_labels() is only called for confirmed conntrack
entries (ct) within ovs_ct_commit(). However, if the conntrack entry
does not have the labels_ext extension, attempting to allocate it in
ovs_ct_get_conn_labels() for a confirmed entry triggers a warning in
nf_ct_ext_add():

  WARN_ON(nf_ct_is_confirmed(ct));

This happens when the conntrack entry is created externally before OVS
increments net->ct.labels_used. The issue has become more likely since
commit fcb1aa5163b1 ("openvswitch: switch to per-action label counting
in conntrack"), which changed to use per-action label counting and
increment net->ct.labels_used when a flow with ct action is added.

Since there’s no straightforward way to fully resolve this issue at the
moment, this reverts the commit to avoid breaking existing use cases.
Comment 1 Robb Gatica 2025-04-02 01:32:15 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025040144-CVE-2025-21958-c94c@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.