In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: prefer nftchainvalidate nftchainvalidate already performs loop detection because a cycle will result in a call stack overflow (ctx->level >= NFTJUMPSTACKSIZE). It also follows maps via ->validate callback in nftlookup, so there appears no reason to iterate the maps again. nftablescheckloops() and all its helper functions can be removed. This improves ruleset load time significantly, from 23s down to 12s. This also fixes a crash bug. Old loop detection code can result in unbounded recursion: BUG: TASK stack guard page was hit at .... Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1 [..] with a suitable ruleset during validation of register stores. I can't see any actual reason to attempt to check for this from nftvalidateregisterstore(), at this point the transaction is still in progress, so we don't have a full picture of the rule graph. For nf-next it might make sense to either remove it or make this depend on table->validatestate in case we could catch an error earlier (for improved error reporting to userspace).