AZL-70100

See a problem?
Import Source
https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70100.json
JSON Data
https://api.test.osv.dev/v1/vulns/AZL-70100
Upstream
Published
2025-11-12T22:15:47Z
Modified
2026-04-01T05:21:41.440537Z
Summary
CVE-2025-40206 affecting package kernel for versions less than 6.6.117.1-1
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_objref: validate objref and objrefmap expressions

Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls:

BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __findrrleaf+0x99/0x230 fib6_tablelookup+0x13b/0x2d0 ip6polroute+0xa4/0x400 fib6rulelookup+0x156/0x240 ip6routeoutputflags+0xc6/0x150 __nfip6route+0x23/0x50 synproxysendtcpipv6+0x106/0x200 synproxysendclientsynackipv6+0x1aa/0x1f0 nftsynproxydoeval+0x263/0x310 nftdochain+0x5a8/0x5f0 [nftables nftdochaininet+0x98/0x110 nfhookslow+0x43/0xc0 _ip6localout+0xf0/0x170 ip6localout+0x17/0x70 synproxysendtcpipv6+0x1a2/0x200 synproxysendclientsynackipv6+0x1aa/0x1f0 [...]

Implement objref and objrefmap expression validate functions.

Currently, only NFTOBJECTSYNPROXY object type requires validation. This will also handle a jump to a chain using a synproxy object from the OUTPUT hook.

Now when trying to reference a synproxy object in the OUTPUT hook, nft will produce the following error:

synproxy_crash.nft: Error: Could not process rule: Operation not supported synproxy name mysynproxy ^^^^^^^^^^^^^^^^^^^^^^^^

References

Affected packages

Azure Linux:3 / kernel

Package

Name
kernel
Purl
pkg:rpm/azure-linux/kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.117.1-1

Database specific

source 
"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70100.json"