In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: clamp maximum hashtable size to INT_MAX
Use INTMAX as maximum size for the conntrack hashtable. Otherwise, it is possible to hit WARNONONCE in _kvmallocnodenoprof() when resizing hashtable because _GFPNOWARN is unset. See:
0708a0afe291 ("mm: Consider _GFPNOWARN flag for oversized kvmalloc() calls")
Note: hashtable resize is only possible from init_netns.
[ { "signature_version": "v1", "id": "CVE-2025-21648-028da9f2", "target": { "file": "net/netfilter/nf_conntrack_core.c", "function": "nf_ct_alloc_hashtable" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5807dd1328bbc86e059c5de80d1bbee9d58ca3d", "digest": { "function_hash": "198072172700429071166294425493954324734", "length": 449.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-18fbf9fb", "target": { "file": "net/netfilter/nf_conntrack_core.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1b2353d768f1b80cd7fe045a70adee576b9b338", "digest": { "line_hashes": [ "100742001743467837026003336427923897569", "136913008291690439409452711634507647829", "240676253655217886639114674401703977166", "88175053978683211027932843953036451731", "195844670468805591524932565799706360352", "72361630575297061104232034322002344212", "137529033096796995854649520563270158250" ], "threshold": 0.9 }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-1d97612e", "target": { "file": "net/netfilter/nf_conntrack_core.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5552b4fd44be3393b930434a7845d8d95a2a3c33", "digest": { "line_hashes": [ "100742001743467837026003336427923897569", "136913008291690439409452711634507647829", "240676253655217886639114674401703977166", "88175053978683211027932843953036451731", "195844670468805591524932565799706360352", "72361630575297061104232034322002344212", "137529033096796995854649520563270158250" ], "threshold": 0.9 }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-504151f6", "target": { "file": "net/netfilter/nf_conntrack_core.c", "function": "nf_ct_alloc_hashtable" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f559357d035877b9d0dcd273e0ff83e18e1d46aa", "digest": { "function_hash": "198072172700429071166294425493954324734", "length": 449.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-6004afd8", "target": { "file": "net/netfilter/nf_conntrack_core.c", "function": "nf_ct_alloc_hashtable" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5552b4fd44be3393b930434a7845d8d95a2a3c33", "digest": { "function_hash": "198072172700429071166294425493954324734", "length": 449.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-6891be08", "target": { "file": "net/netfilter/nf_conntrack_core.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f559357d035877b9d0dcd273e0ff83e18e1d46aa", "digest": { "line_hashes": [ "100742001743467837026003336427923897569", "136913008291690439409452711634507647829", "240676253655217886639114674401703977166", "88175053978683211027932843953036451731", "195844670468805591524932565799706360352", "72361630575297061104232034322002344212", "137529033096796995854649520563270158250" ], "threshold": 0.9 }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-c1e1582d", "target": { "file": "net/netfilter/nf_conntrack_core.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a965f7f0ea3ae61b9165bed619d5d6da02c75f80", "digest": { "line_hashes": [ "100742001743467837026003336427923897569", "136913008291690439409452711634507647829", "240676253655217886639114674401703977166", "88175053978683211027932843953036451731", "195844670468805591524932565799706360352", "72361630575297061104232034322002344212", "137529033096796995854649520563270158250" ], "threshold": 0.9 }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-d987ee32", "target": { "file": "net/netfilter/nf_conntrack_core.c", "function": "nf_ct_alloc_hashtable" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13", "digest": { "function_hash": "198072172700429071166294425493954324734", "length": 449.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-deae5262", "target": { "file": "net/netfilter/nf_conntrack_core.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5807dd1328bbc86e059c5de80d1bbee9d58ca3d", "digest": { "line_hashes": [ "100742001743467837026003336427923897569", "136913008291690439409452711634507647829", "240676253655217886639114674401703977166", "88175053978683211027932843953036451731", "195844670468805591524932565799706360352", "72361630575297061104232034322002344212", "137529033096796995854649520563270158250" ], "threshold": 0.9 }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-f488696b", "target": { "file": "net/netfilter/nf_conntrack_core.c", "function": "nf_ct_alloc_hashtable" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1b2353d768f1b80cd7fe045a70adee576b9b338", "digest": { "function_hash": "198072172700429071166294425493954324734", "length": 449.0 }, "signature_type": "Function", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-f86e3ea7", "target": { "file": "net/netfilter/nf_conntrack_core.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13", "digest": { "line_hashes": [ "100742001743467837026003336427923897569", "136913008291690439409452711634507647829", "240676253655217886639114674401703977166", "88175053978683211027932843953036451731", "195844670468805591524932565799706360352", "72361630575297061104232034322002344212", "137529033096796995854649520563270158250" ], "threshold": 0.9 }, "signature_type": "Line", "deprecated": false }, { "signature_version": "v1", "id": "CVE-2025-21648-fbd5747e", "target": { "file": "net/netfilter/nf_conntrack_core.c", "function": "nf_ct_alloc_hashtable" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a965f7f0ea3ae61b9165bed619d5d6da02c75f80", "digest": { "function_hash": "198072172700429071166294425493954324734", "length": 449.0 }, "signature_type": "Function", "deprecated": false } ]