CVE-2025-71097 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix reference count leak when using error routes with nexthop objects
When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop.
The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak:
# ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
This vulnerability exists in the linux kernel's ipv4 routing subsystem where a reference count leak occurs when error routes are associated with nexthop objects. The issue manifests when a nexthop object is deleted and marked as dead, but the associated error routes are not properly flushed from the forwarding information base. The fib_table_flush() function contains logic that only flushes error routes during network namespace dismantling operations when flush_all=true is specified. During normal nexthop deletion operations, error routes that reference the dead nexthop object remain in the routing table, creating a circular reference that prevents proper resource cleanup. This behavior specifically affects ipv4 implementations while ipv6 remains unaffected, indicating a protocol-specific implementation gap in the kernel's routing table management.
The technical flaw stems from improper resource management within the forwarding information base table flushing mechanism. When a nexthop object is deleted, the kernel correctly marks it as dead but fails to properly clean up error routes that reference this dead object. The error routes maintain references to the nexthop object through their nexthop identifiers, which in turn maintains references to the underlying network device. This creates a reference count leak where the network device cannot be properly unregistered because it still has active references from the error routes. The leak manifests as a usage count greater than zero, preventing the network device from being freed and resulting in a system resource leak that can accumulate over time.
The operational impact of this vulnerability can be significant in systems with high routing table churn or frequent network device operations. The reference count leak can lead to resource exhaustion where network devices cannot be properly removed or replaced, potentially causing system instability or performance degradation. In environments where network configurations are frequently modified, such as dynamic routing or containerized deployments, this vulnerability can accumulate over time and eventually lead to system resource exhaustion. The leak also prevents proper cleanup of network namespaces and can cause issues with network device reconfiguration, particularly in virtualized or containerized environments where network resources are frequently allocated and deallocated.
The fix for this vulnerability involves modifying the fib_table_flush() function to properly flush error routes when a nexthop object is marked as dead, regardless of whether the flush operation is part of a namespace dismantling process. This ensures that when a nexthop is deleted, all associated error routes are also removed from the routing table, breaking the circular reference chain and allowing proper resource cleanup. The implementation should maintain compatibility with existing functionality while ensuring that error routes are properly handled during nexthop deletion operations. This fix aligns with common security practices for resource management and follows the principle of least privilege by ensuring that all references to deleted resources are properly cleaned up. The vulnerability can be categorized under CWE-404 as improper resource cleanup and relates to ATT&CK technique T1490 for resource exhaustion through reference counting issues.
The resolution addresses a fundamental flaw in the kernel's routing table management where the distinction between different types of flush operations creates inconsistent cleanup behavior. The fix ensures that all routes referencing a dead nexthop are properly flushed regardless of the context in which the flush occurs, maintaining proper reference counting semantics. This change brings the ipv4 implementation in line with the expected behavior of network resource management where all references to deleted objects should be eliminated. The solution maintains backward compatibility while fixing the specific reference count leak issue and prevents potential denial of service scenarios that could arise from resource exhaustion. The fix also aligns with kernel security best practices for preventing resource leaks that can be exploited to cause system instability or resource exhaustion attacks.