CVE-2025-21958
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21958
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21958.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-21958
- Downstream
- Published
- 2025-04-01T15:46:57.268Z
- Modified
- 2025-11-16T14:33:42.436287Z
- Summary
- Revert "openvswitch: switch to per-action label counting in conntrack"
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Revert "openvswitch: switch to per-action label counting in conntrack"
Currently, ovsctsetlabels() is only called for confirmed conntrack entries (ct) within ovsctcommit(). However, if the conntrack entry does not have the labelsext extension, attempting to allocate it in ovsctgetconnlabels() for a confirmed entry triggers a warning in nfctext_add():
WARNON(nfctisconfirmed(ct));
This happens when the conntrack entry is created externally before OVS increments net->ct.labelsused. The issue has become more likely since commit fcb1aa5163b1 ("openvswitch: switch to per-action label counting in conntrack"), which changed to use per-action label counting and increment net->ct.labelsused when a flow with ct action is added.
Since there’s no straightforward way to fully resolve this issue at the moment, this reverts the commit to avoid breaking existing use cases.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfcb1aa5163b1ae4cf2864b688b08927aac51f51eFixed9e79fdabd52cfce1a021640a81256878a2c516a2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfcb1aa5163b1ae4cf2864b688b08927aac51f51eFixedd91bfc64a4886102746e74d2c6f3a61e9a77fd7d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfcb1aa5163b1ae4cf2864b688b08927aac51f51eFixed1063ae07383c0ddc5bcce170260c143825846b03
Affected versions
v6.*
v6.11
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
Database specific
vanir_signatures
[
{
"digest": {
"function_hash": "257096851342265496164539648458260641514",
"length": 1601.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-1ea07d4e",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_copy_action"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e79fdabd52cfce1a021640a81256878a2c516a2",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "98148264023449500744716654008198504729",
"length": 398.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-35db4729",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_verify"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1063ae07383c0ddc5bcce170260c143825846b03",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "73568627333227446217697601196173620206",
"length": 188.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-3c8c28a4",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_init"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e79fdabd52cfce1a021640a81256878a2c516a2",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "98148264023449500744716654008198504729",
"length": 398.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-60592195",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_verify"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d91bfc64a4886102746e74d2c6f3a61e9a77fd7d",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "257096851342265496164539648458260641514",
"length": 1601.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-835856a4",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_copy_action"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d91bfc64a4886102746e74d2c6f3a61e9a77fd7d",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "270590517637580499530931756957017518651",
"length": 163.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-840fbd6a",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_exit"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e79fdabd52cfce1a021640a81256878a2c516a2",
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"131995564147619549070395397682184111870",
"141552006984725937002952973262565639380",
"212038486494172181517960856125751366265",
"118616984392230935529939437270574941514"
]
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-85b139e8",
"target": {
"file": "net/openvswitch/datapath.h"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e79fdabd52cfce1a021640a81256878a2c516a2",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "98148264023449500744716654008198504729",
"length": 398.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-87c3f86c",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_verify"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e79fdabd52cfce1a021640a81256878a2c516a2",
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"107297358099146168712305438092583728147",
"322182889202377807026531537638380814331",
"128973916877754210558038953741917846398",
"139488714597736244248906718418877076178",
"259425612192470143921620433165387318743",
"65425586664789468813143488985554976394",
"22862255395262484453595055205473264766",
"262005026216613330744743415228910683189",
"114232469746255591455843689773393701865",
"189198814659617151327747537280537302488",
"332937587785932142005559710080440724771",
"174386921594579781302672034220735524913",
"91842970474329459764837670911443739257",
"286776795958029898110596874113433681515",
"164577592561454215839726253431377915304",
"129573428318601965691041891139253569140",
"108395993905395635910755654451151792749",
"283666076057562435574900654528621819333",
"301124701466684769419732621380343407867",
"279285556207927926599341378353376603818",
"14777617611608730137872311825910804027",
"200322661516105020208911688619980043271",
"184877604336693383760262267259035835809",
"2393968935051012904716664052211885980",
"60275634492251029940129080908270980967",
"214911448614819796080590631394811332184",
"57340706022859027164160767869492221689",
"124120111338064905208203195909381426163",
"277237628266573381992885322941390237903",
"21726359059838091242220331284693449348",
"100819188648269171287024557866937348501"
]
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-9894f339",
"target": {
"file": "net/openvswitch/conntrack.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d91bfc64a4886102746e74d2c6f3a61e9a77fd7d",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "270590517637580499530931756957017518651",
"length": 163.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-9bb17c83",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_exit"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d91bfc64a4886102746e74d2c6f3a61e9a77fd7d",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "247955087892648273847794164385249718420",
"length": 338.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-a2620c0b",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "__ovs_ct_free_action"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1063ae07383c0ddc5bcce170260c143825846b03",
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"107297358099146168712305438092583728147",
"322182889202377807026531537638380814331",
"128973916877754210558038953741917846398",
"139488714597736244248906718418877076178",
"259425612192470143921620433165387318743",
"65425586664789468813143488985554976394",
"22862255395262484453595055205473264766",
"262005026216613330744743415228910683189",
"114232469746255591455843689773393701865",
"189198814659617151327747537280537302488",
"332937587785932142005559710080440724771",
"174386921594579781302672034220735524913",
"91842970474329459764837670911443739257",
"286776795958029898110596874113433681515",
"164577592561454215839726253431377915304",
"129573428318601965691041891139253569140",
"108395993905395635910755654451151792749",
"283666076057562435574900654528621819333",
"301124701466684769419732621380343407867",
"279285556207927926599341378353376603818",
"14777617611608730137872311825910804027",
"200322661516105020208911688619980043271",
"184877604336693383760262267259035835809",
"2393968935051012904716664052211885980",
"60275634492251029940129080908270980967",
"214911448614819796080590631394811332184",
"57340706022859027164160767869492221689",
"124120111338064905208203195909381426163",
"277237628266573381992885322941390237903",
"21726359059838091242220331284693449348",
"100819188648269171287024557866937348501"
]
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-be441186",
"target": {
"file": "net/openvswitch/conntrack.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e79fdabd52cfce1a021640a81256878a2c516a2",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "270590517637580499530931756957017518651",
"length": 163.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-ccd7e7bc",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_exit"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1063ae07383c0ddc5bcce170260c143825846b03",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "247955087892648273847794164385249718420",
"length": 338.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-d70da371",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "__ovs_ct_free_action"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d91bfc64a4886102746e74d2c6f3a61e9a77fd7d",
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"131995564147619549070395397682184111870",
"141552006984725937002952973262565639380",
"212038486494172181517960856125751366265",
"118616984392230935529939437270574941514"
]
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-d8c51f97",
"target": {
"file": "net/openvswitch/datapath.h"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d91bfc64a4886102746e74d2c6f3a61e9a77fd7d",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "73568627333227446217697601196173620206",
"length": 188.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-dd41b86b",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_init"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1063ae07383c0ddc5bcce170260c143825846b03",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "247955087892648273847794164385249718420",
"length": 338.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-e7d19dc7",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "__ovs_ct_free_action"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e79fdabd52cfce1a021640a81256878a2c516a2",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "257096851342265496164539648458260641514",
"length": 1601.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-ea93c16e",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_copy_action"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1063ae07383c0ddc5bcce170260c143825846b03",
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"107297358099146168712305438092583728147",
"322182889202377807026531537638380814331",
"128973916877754210558038953741917846398",
"139488714597736244248906718418877076178",
"259425612192470143921620433165387318743",
"65425586664789468813143488985554976394",
"22862255395262484453595055205473264766",
"262005026216613330744743415228910683189",
"114232469746255591455843689773393701865",
"189198814659617151327747537280537302488",
"332937587785932142005559710080440724771",
"174386921594579781302672034220735524913",
"91842970474329459764837670911443739257",
"286776795958029898110596874113433681515",
"164577592561454215839726253431377915304",
"129573428318601965691041891139253569140",
"108395993905395635910755654451151792749",
"283666076057562435574900654528621819333",
"301124701466684769419732621380343407867",
"279285556207927926599341378353376603818",
"14777617611608730137872311825910804027",
"200322661516105020208911688619980043271",
"184877604336693383760262267259035835809",
"2393968935051012904716664052211885980",
"60275634492251029940129080908270980967",
"214911448614819796080590631394811332184",
"57340706022859027164160767869492221689",
"124120111338064905208203195909381426163",
"277237628266573381992885322941390237903",
"21726359059838091242220331284693449348",
"100819188648269171287024557866937348501"
]
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-f168ab5d",
"target": {
"file": "net/openvswitch/conntrack.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1063ae07383c0ddc5bcce170260c143825846b03",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "73568627333227446217697601196173620206",
"length": 188.0
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-f4ce2823",
"target": {
"file": "net/openvswitch/conntrack.c",
"function": "ovs_ct_init"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d91bfc64a4886102746e74d2c6f3a61e9a77fd7d",
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"131995564147619549070395397682184111870",
"141552006984725937002952973262565639380",
"212038486494172181517960856125751366265",
"118616984392230935529939437270574941514"
]
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21958-fc8c0238",
"target": {
"file": "net/openvswitch/datapath.h"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1063ae07383c0ddc5bcce170260c143825846b03",
"signature_type": "Line"
}
]