CVE-2025-71097

In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e	Patch
https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea	Patch
https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536	Patch
https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a	Patch
https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a	Patch
https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43	Patch
https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.3:-::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

History

17 Jun 2026, 10:03

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: ipv4: Corrección de fuga de contador de referencias al usar rutas de error con objetos nexthop Cuando un objeto nexthop es eliminado, es marcado como muerto y luego se llama a fib_table_flush() para vaciar todas las rutas que están usando el nexthop muerto. La lógica actual en fib_table_flush() es vaciar solo las rutas de error (p. ej., blackhole) cuando se llama como parte del desmantelamiento de un espacio de nombres de red (es decir, con flush_all=true). Por lo tanto, las rutas de error no se vacían cuando su objeto nexthop es eliminado: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 Como tal, siguen manteniendo una referencia en el objeto nexthop que a su vez mantiene una referencia en el dispositivo nexthop, lo que resulta en una fuga de contador de referencias: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Corrección vaciando las rutas de error cuando su nexthop es marcado como muerto. IPv6 no sufre de este problema.

25 Mar 2026, 16:56

Type	Values Removed	Values Added
First Time		Linux Linux linux Kernel
CWE		NVD-CWE-Other
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.19:rc8:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:5.3:-:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
References	~~() https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e -~~	() https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e - Patch
References	~~() https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea -~~	() https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea - Patch
References	~~() https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536 -~~	() https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536 - Patch
References	~~() https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a -~~	() https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a - Patch
References	~~() https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a -~~	() https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a - Patch
References	~~() https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43 -~~	() https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43 - Patch
References	~~() https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f -~~	() https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f - Patch

19 Jan 2026, 13:16

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea - () https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a -

13 Jan 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-13 16:16

Updated : 2026-06-17 10:03

NVD link : CVE-2025-71097

Mitre link : CVE-2025-71097

CVE.ORG link : CVE-2025-71097

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-Other

5.5 /10