CVE-2025-38201: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38201 is a vulnerability discovered in the Linux kernel's netfilter component, specifically in the nftsetpipapo functionality. The vulnerability was disclosed on July 4, 2025, affecting the Linux kernel's netfilter subsystem. The issue relates to the maximum map bucket size not being properly clamped to INT_MAX (NVD).

The vulnerability occurs in the netfilter's nftsetpipapo component where the maximum map bucket size is not properly limited to INTMAX. This can trigger a WARNONONCE condition in _kvmallocnodenoprof() during hashtable resizing operations because _GFPNOWARN is unset. The issue is similar to a previous fix identified as b541ba7d1f5a which addressed a similar problem in netfilter conntrack (Debian Tracker).

When exploited, this vulnerability can lead to system warnings and potential memory allocation issues in the Linux kernel's netfilter subsystem. The impact primarily affects systems using the nftsetpipapo component for network filtering operations (NVD).

The vulnerability has been addressed in various Linux distributions. Debian has marked this as fixed in version 6.12.35-1 for trixie and 6.12.37-1 for sid. Several other versions remain vulnerable and require updates, including bullseye (5.10.223-1), bookworm (6.1.137-1), and their respective security releases (Debian Tracker).