CVE-2025-53141: 
vulnerability analysis and mitigation

A vulnerability in the Linux kernel's netfilter ipset module was discovered and assigned CVE-2024-53141. The issue was first published on December 6, 2024, and last updated on August 6, 2025. The vulnerability received a CVSS 3 Severity Score of 7.8 (High) (Ubuntu CVE).

The vulnerability exists in the bitmapipuadt function of the netfilter ipset module. When tb[IPSETATTRIPTO] is not present but tb[IPSETATTRCIDR] exists, the values of ip and ipto are incorrectly swapped. The range check for ip is missing, leading to potential exploitation. The issue requires adding missing range checks and removing unnecessary ones (Ubuntu CVE).

The vulnerability has been classified as having a High severity with a CVSS score of 7.8, indicating significant potential impact on affected systems (Ubuntu CVE).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has provided fixes across various kernel versions, including linux-azure 6.11.0-1009.9 for 24.10, linux-hwe-6.8 6.8.0-52.53~22.04.1 for 22.04 LTS, and linux-hwe-5.15 5.15.0-131.141~20.04.1 for 20.04 LTS. Red Hat has also included fixes for this vulnerability in their security updates (Ubuntu CVE, Red Hat Advisory).