Linux Kernel IPv4 Refcount Leak via Dead Nexthop Objects
CVE-2025-71097 Published on January 13, 2026
ipv4: Fix reference count leak when using error routes with nexthop objects
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix reference count leak when using error routes with nexthop objects
When a nexthop object is deleted, it is marked as dead and then
fib_table_flush() is called to flush all the routes that are using the
dead nexthop.
The current logic in fib_table_flush() is to only flush error routes
(e.g., blackhole) when it is called as part of network namespace
dismantle (i.e., with flush_all=true). Therefore, error routes are not
flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy
# ip nexthop add id 1 dev dummy1
# ip route add 198.51.100.1/32 nhid 1
# ip route add blackhole 198.51.100.2/32 nhid 1
# ip nexthop del id 1
# ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in
turn holds a reference on the nexthop device, resulting in a reference
count leak:
# ip link del dev dummy1
[ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
Products Associated with CVE-2025-71097
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Linux:- Version 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and below 5de7ad7e18356e39e8fbf7edd185a5faaf4f385a is affected.
- Version 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and below 33ff5c207c873215e54e6176624ed57423cb7dea is affected.
- Version 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and below 30386e090c49e803c0616a7147e43409c32a2b0e is affected.
- Version 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and below 5979338c83012110ccd45cae6517591770bfe536 is affected.
- Version 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and below ee4183501ea556dca31f5ffd8690aa9fd25b609f is affected.
- Version 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and below e3fc381320d04e4a74311e576a86cac49a16fc43 is affected.
- Version 493ced1ac47c48bb86d9d4e8e87df8592be85a0e and below ac782f4e3bfcde145b8a7f8af31d9422d94d172a is affected.
- Version 5.3 is affected.
- Before 5.3 is unaffected.
- Version 5.10.248, <= 5.10.* is unaffected.
- Version 5.15.198, <= 5.15.* is unaffected.
- Version 6.1.160, <= 6.1.* is unaffected.
- Version 6.6.120, <= 6.6.* is unaffected.
- Version 6.12.64, <= 6.12.* is unaffected.
- Version 6.18.4, <= 6.18.* is unaffected.
- Version 6.19, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.