CVE-2025-38201 in Linux
Summary
by MITRE • 07/04/2025
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset.
Similar to:
b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX")
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/13/2025
The vulnerability identified as CVE-2025-38201 resides within the Linux kernel's netfilter subsystem, specifically affecting the nft_set_pipapo module responsible for managing set operations in the nftables framework. This issue represents a critical memory management flaw that could potentially lead to system instability and denial of service conditions. The vulnerability stems from inadequate bounds checking during hashtable resizing operations within the pipapo set implementation, which is a probabilistic data structure used for efficient set membership testing in netfilter rules.
The technical flaw manifests when the system attempts to resize hashtable structures used by the pipapo set implementation without proper validation of the requested bucket size. When an attacker can manipulate input parameters to exceed the maximum integer limit, the kernel's memory allocation functions trigger warning conditions that may ultimately result in system crashes or unpredictable behavior. The vulnerability specifically impacts the __kvmalloc_node_noprof() function which lacks the __GFP_NOWARN flag during allocation attempts, causing kernel warnings to be logged when memory allocation fails due to excessive size requests.
This vulnerability directly relates to CWE-129, which addresses improper validation of array index values, and CWE-131, concerning improper handling of length parameters in a manner that can result in a buffer overflow. The issue also maps to ATT&CK technique T1499.004, which involves network denial of service attacks through resource exhaustion, as the vulnerability could be exploited to consume excessive kernel memory resources. The fix implemented follows a precedent established by commit b541ba7d1f5a that addressed similar hashtable size limitations in the conntrack subsystem, demonstrating the kernel development team's recognition of this pattern as a recurring security concern.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it represents a potential vector for privilege escalation attacks within network filtering contexts. Systems running kernel versions containing this flaw may experience unexpected system crashes when processing specially crafted nftables rules or when handling large-scale network traffic patterns that trigger the problematic hashtable resizing code paths. The vulnerability affects all systems utilizing nftables with pipapo set implementations, particularly those implementing complex network filtering rules or serving high-traffic network environments where set operations are frequently performed. Network administrators and security professionals should prioritize patching systems running affected kernel versions to prevent potential exploitation that could lead to service disruption or system instability.
The mitigation strategy involves updating to kernel versions that contain the patched implementation, which clamps maximum map bucket sizes to INT_MAX values to prevent overflow conditions in hashtable resizing operations. Additionally, organizations should implement monitoring for kernel warning messages related to memory allocation failures and hashtable operations, as these could indicate attempted exploitation of the vulnerability. System administrators should also review and restrict nftables rule configurations that might inadvertently trigger large set operations, particularly in environments where external input controls are not properly enforced. The fix demonstrates the kernel community's ongoing commitment to addressing memory safety issues in core networking subsystems, reflecting the critical nature of netfilter components in maintaining system network security and stability.