CVE-2025-21648: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21648 is a vulnerability discovered in the Linux kernel's netfilter connection tracking (conntrack) subsystem. The issue was identified and disclosed on January 19, 2025, affecting the hashtable size handling in the netfilter conntrack module. The vulnerability specifically relates to the possibility of triggering a WARNONONCE condition in kvmallocnodenoprof() when resizing the conntrack hashtable due to unset GFP_NOWARN flag (NVD).

The vulnerability stems from improper size validation in the netfilter conntrack hashtable implementation. The issue occurs when resizing the conntrack hashtable because the GFP_NOWARN flag is unset in the kvmallocnodenoprof() function. The fix involves clamping the maximum hashtable size to INTMAX instead of UINTMAX. This modification prevents potential issues during hashtable resizing operations, which are only possible from init_netns. Red Hat has assigned this vulnerability a CVSS v3 base score of 7.1, categorizing it as having Moderate impact (Red Hat).

The vulnerability has been rated with a CVSS v3 base score of 7.1 (Moderate impact) by Red Hat. The impact assessment indicates high potential for affecting confidentiality and availability, while maintaining no impact on integrity. The vulnerability requires local access with low attack complexity and low privileges required for exploitation (Red Hat).

The vulnerability has been patched in various Linux kernel versions. Debian has fixed the issue in version 6.1.128-1 for the bookworm release and 6.12.12-1 for the trixie release. The fix involves clamping the maximum hashtable size to INT_MAX and adding additional size validation checks (Debian).