CVE-2025-38201

Advisory lineage Upstream: 0 Downstream: 29

Downstream

DEBIAN-CVE-2025-38201 DLA-4498-1 DLA-4499-1 DSA-6163-1 OPENSUSE-SU-2025:20081-1 SUSE-SU-2025:03272-1

Analyzed

Published: 04 Jul 2025, 13:37

Last modified:11 May 2026, 21:23

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (nvd)

EPSS Score

0.03% LOW

0% probability +0.02%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Jul 2025, 13:37

Published

Vulnerability first disclosed

11 May 2026, 21:23

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. Similar to: b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX")

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.03%• Percentile: 10%

Affected Systems

linux•linux
≥ 3c4287f62044a90e73a561aa05fc46e62da173da, < 1fe27f97944017a9d3c5af4d6d95282bff0f1147 | ≥ 3c4287f62044a90e73a561aa05fc46e62da173da, < 4abccfb61f422300be014b8e734c63344306f009 | ≥ 3c4287f62044a90e73a561aa05fc46e62da173da, < 80417057ac60dd80f4816eb426e4e4a5bf696534 | ≥ 3c4287f62044a90e73a561aa05fc46e62da173da, < df524a68d9021c1401965d610bb6e42ee5d9611e | ≥ 3c4287f62044a90e73a561aa05fc46e62da173da, < 0ab3de047808f375a36cd345225572eb3366f3c6 | ≥ 3c4287f62044a90e73a561aa05fc46e62da173da, < d2768016f091f8a5264076b433fd7c3fabb6eb97 | ≥ 3c4287f62044a90e73a561aa05fc46e62da173da, < b85e3367a5716ed3662a4fe266525190d2af76df | 5.6
linux•linux_kernel
≥ 5.6, < 6.12.35 | ≥ 6.13, < 6.15.4