CVE-2025-40206

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_objref: validate objref and objrefmap expressions<br /> <br /> Referencing a synproxy stateful object from OUTPUT hook causes kernel<br /> crash due to infinite recursive calls:<br /> <br /> BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)<br /> [...]<br /> Call Trace:<br /> __find_rr_leaf+0x99/0x230<br /> fib6_table_lookup+0x13b/0x2d0<br /> ip6_pol_route+0xa4/0x400<br /> fib6_rule_lookup+0x156/0x240<br /> ip6_route_output_flags+0xc6/0x150<br /> __nf_ip6_route+0x23/0x50<br /> synproxy_send_tcp_ipv6+0x106/0x200<br /> synproxy_send_client_synack_ipv6+0x1aa/0x1f0<br /> nft_synproxy_do_eval+0x263/0x310<br /> nft_do_chain+0x5a8/0x5f0 [nf_tables<br /> nft_do_chain_inet+0x98/0x110<br /> nf_hook_slow+0x43/0xc0<br /> __ip6_local_out+0xf0/0x170<br /> ip6_local_out+0x17/0x70<br /> synproxy_send_tcp_ipv6+0x1a2/0x200<br /> synproxy_send_client_synack_ipv6+0x1aa/0x1f0<br /> [...]<br /> <br /> Implement objref and objrefmap expression validate functions.<br /> <br /> Currently, only NFT_OBJECT_SYNPROXY object type requires validation.<br /> This will also handle a jump to a chain using a synproxy object from the<br /> OUTPUT hook.<br /> <br /> Now when trying to reference a synproxy object in the OUTPUT hook, nft<br /> will produce the following error:<br /> <br /> synproxy_crash.nft: Error: Could not process rule: Operation not supported<br /> synproxy name mysynproxy<br /> ^^^^^^^^^^^^^^^^^^^^^^^^