CVE-2025-22064 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: don't unregister hook when table is dormant

When nf_tables_updchain encounters an error, hook registration needs to be rolled back.

This should only be done if the hook has been registered, which won't happen when the table is flagged as dormant (inactive).

Just move the assignment into the registration block.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability CVE-2025-22064 affects the Linux kernel's netfilter subsystem, specifically within the nf_tables framework that manages packet filtering and manipulation rules. This issue resides in the kernel's network packet processing pipeline where nf_tables handles chain updates and hook registration operations. The vulnerability manifests when the nf_tables_updchain function encounters an error during chain updates, creating a potential inconsistency in the kernel's networking subsystem. The problem stems from improper handling of hook unregistration logic during error conditions, which can lead to resource management issues and potential system instability.

The technical flaw occurs in the error handling path of the nf_tables subsystem where the code attempts to unregister network hooks even when the table is marked as dormant or inactive. When a table is flagged as dormant, it indicates that the table is not actively processing packets and should not have its hooks modified or unregistered. However, the current implementation fails to check this dormant state before attempting hook cleanup operations. This oversight creates a scenario where the system attempts to perform operations on inactive resources, potentially leading to memory corruption or inconsistent state management. The vulnerability is classified as a logic error in conditional execution flow, specifically related to improper state checking before resource cleanup operations.

The operational impact of this vulnerability extends across all Linux systems utilizing the netfilter framework with nf_tables, particularly those running kernel versions containing the affected code. Systems with active network filtering rules, firewalls, or network address translation configurations are most susceptible to exploitation. The vulnerability could potentially allow attackers to cause denial of service conditions by triggering the error path during chain updates, or in more severe cases, could lead to privilege escalation or memory corruption if the improper cleanup operations affect kernel memory structures. Network administrators managing security-sensitive environments would face increased risk of system instability during configuration updates or rule modifications.

The mitigation strategy involves applying the kernel patch that moves the hook assignment operation into the registration block, ensuring that hook unregistration only occurs when hooks have actually been registered. This fix aligns with the principle of defensive programming and proper resource management practices. The solution prevents the erroneous cleanup operation when dealing with dormant tables and maintains consistency in the kernel's network processing pipeline. System administrators should prioritize updating to kernel versions containing this fix, particularly in production environments where network security and stability are critical. Organizations should also implement monitoring for unusual network filtering behavior or system instability that might indicate exploitation attempts.

This vulnerability relates to CWE-691, which covers insufficient control flow management, and aligns with ATT&CK techniques involving system modification and privilege escalation through kernel-level vulnerabilities. The issue demonstrates the importance of proper state management in kernel subsystems and highlights how seemingly minor logic errors can have significant security implications. The fix represents a standard defensive programming approach where conditional checks prevent operations on invalid or inactive resources, reinforcing the principle that error handling paths should maintain system integrity even when encountering exceptional conditions.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00216

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!