[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-38472":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":23,"related":24,"reserved_at":9,"published_at":25,"modified_at":26,"state":9,"summary":27,"references_raw":29,"kevs":36,"epss":9,"epss_history":37,"metrics":38,"affected":45},"DEBIAN-CVE-2025-38472","In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_conntrack: fix crash due to removal of uninitialised entry  A crash in conntrack was reported while trying to unlink the conntrack entry from the hash bucket list:     [exception RIP: __nf_ct_delete_from_lists+172]     [..]  #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]  #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]  #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]     [..]  The nf_conn struct is marked as allocated from slab but appears to be in a partially initialised state:   ct hlist pointer is garbage; looks like the ct hash value  (hence crash).  ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected  ct->timeout is 30000 (=30s), which is unexpected.  Everything else looks like normal udp conntrack entry.  If we ignore ct->status and pretend its 0, the entry matches those that are newly allocated but not yet inserted into the hash:   - ct hlist pointers are overloaded and store/cache the raw tuple hash   - ct->timeout matches the relative time expected for a new udp flow     rather than the absolute 'jiffies' value.  If it were not for the presence of IPS_CONFIRMED, __nf_conntrack_find_get() would have skipped the entry.  Theory is that we did hit following race:  cpu x \t\t\tcpu y\t\t\tcpu z  found entry E\t\tfound entry E  E is expired\t\t\u003Cpreemption>  nf_ct_delete()  return E to rcu slab \t\t\t\t\tinit_conntrack \t\t\t\t\tE is re-inited, \t\t\t\t\tct->status set to 0 \t\t\t\t\treply tuplehash hnnode.pprev \t\t\t\t\tstores hash value.  cpu y found E right before it was deleted on cpu x. E is now re-inited on cpu z.  cpu y was preempted before checking for expiry and/or confirm bit.  \t\t\t\t\t->refcnt set to 1 \t\t\t\t\tE now owned by skb \t\t\t\t\t->timeout set to 30000  If cpu y were to resume now, it would observe E as expired but would skip E due to missing CONFIRMED bit.  \t\t\t\t\tnf_conntrack_confirm gets called \t\t\t\t\tsets: ct->status |= CONFIRMED \t\t\t\t\tThis is wrong: E is not yet added \t\t\t\t\tto hashtable.  cpu y resumes, it observes E as expired but CONFIRMED: \t\t\t\u003Cresumes> \t\t\tnf_ct_expired() \t\t\t -> yes (ct->timeout is 30s) \t\t\tconfirmed bit set.  cpu y will try to delete E from the hashtable: \t\t\tnf_ct_delete() -> set DYING bit \t\t\t__nf_ct_delete_from_lists  Even this scenario doesn't guarantee a crash: cpu z still holds the table bucket lock(s) so y blocks:  \t\t\twait for spinlock held by z  \t\t\t\t\tCONFIRMED is set but there is no \t\t\t\t\tguarantee ct will be added to hash: \t\t\t\t\t\"chaintoolong\" or \"clash resolution\" \t\t\t\t\tlogic both skip the insert step. \t\t\t\t\treply hnnode.pprev still stores the \t\t\t\t\thash value.  \t\t\t\t\tunlocks spinlock \t\t\t\t\treturn NF_DROP \t\t\t\u003Cunblocks, then \t\t\t crashes on hlist_nulls_del_rcu pprev>  In case CPU z does insert the entry into the hashtable, cpu y will unlink E again right away but no crash occurs.  Without 'cpu y' race, 'garbage' hlist is of no consequence: ct refcnt remains at 1, eventually skb will be free'd and E gets destroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy.  To resolve this, move the IPS_CONFIRMED assignment after the table insertion but before the unlock.  Pablo points out that the confirm-bit-store could be reordered to happen before hlist add resp. the timeout fixup, so switch to set_bit and before_atomic memory barrier to prevent this.  It doesn't matter if other CPUs can observe a newly inserted entry right before the CONFIRMED bit was set:  Such event cannot be distinguished from above \"E is the old incarnation\" case: the entry will be skipped.  Also change nf_ct_should_gc() to first check the confirmed bit.  The gc sequence is:  1. Check if entry has expired, if not skip to next entry  2. Obtain a reference to the expired entry.  3. Call nf_ct_should_gc() to double-check step 1.  nf_ct_should_gc() is thus called only for entries that already failed an expiry check. After this patch, once the confirmed bit check pas ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2025-38472",[17,19,21],{"_key":18},"DLA-4328-1",{"_key":20},"DSA-5973-1",{"_key":22},"DSA-5975-1",[],[],"2025-07-28T12:15:29.003Z","2026-04-28T20:29:58.886159Z",{"cisa_kev":28,"cisa_ransomware":28,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[30],{"url":31,"sources":32,"tags":34},"https://security-tracker.debian.org/tracker/CVE-2025-38472",[33],"osv_debian",[35],"Advisory",[],[],[39],{"source":33,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":40,"cvss_v4_0":9},{"baseScore":41,"baseSeverity":9,"vectorString":42,"impactScore":43,"exploitabilityScore":44},5.5,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",6,4.6,[46,64],{"ecosystem":47,"name":48,"vendor":49,"product":48,"cpe_part":9,"purl_type":50,"purl_namespace":49,"purl_name":48,"source":9,"versions":51},"Debian","linux","debian","deb",[52,58,61],{"version":53,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":57,"fixed_in":9},"lt6_1_147_1",true,"ecosystem","6.1.147-1","excluding",{"version":59,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":57,"fixed_in":9},"lt6_12_41_1","6.12.41-1",{"version":62,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9},"lt6_16_3_1","6.16.3-1",{"ecosystem":47,"name":65,"vendor":49,"product":65,"cpe_part":9,"purl_type":50,"purl_namespace":49,"purl_name":65,"source":9,"versions":66},"linux-6.1",[67],{"version":68,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":69,"version_end_type":57,"fixed_in":9},"lt6_1_153_1~deb11u1","6.1.153-1~deb11u1"]