Bug 2393541 (CVE-2025-38732) - CVE-2025-38732 kernel: netfilter: nf_reject: don't leak dst refcount for loopback packets
Summary: CVE-2025-38732 kernel: netfilter: nf_reject: don't leak dst refcount for loop...
Keywords:
Status: NEW
Alias: CVE-2025-38732
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-05 18:05 UTC by OSIDB Bzimport
Modified: 2025-09-05 19:28 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-05 18:05:13 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_reject: don't leak dst refcount for loopback packets

recent patches to add a WARN() when replacing skb dst entry found an
old bug:

WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]
WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline]
WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234
[..]
Call Trace:
 nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325
 nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27
 expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]
 ..

This is because blamed commit forgot about loopback packets.
Such packets already have a dst_entry attached, even at PRE_ROUTING stage.

Instead of checking hook just check if the skb already has a route
attached to it.
Comment 1 Keith Grant 2025-09-05 19:24:54 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025090543-CVE-2025-38732-f9e4@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.