CVE-2025-71097

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv4: Fix reference count leak when using error routes with nexthop objects<br /> <br /> When a nexthop object is deleted, it is marked as dead and then<br /> fib_table_flush() is called to flush all the routes that are using the<br /> dead nexthop.<br /> <br /> The current logic in fib_table_flush() is to only flush error routes<br /> (e.g., blackhole) when it is called as part of network namespace<br /> dismantle (i.e., with flush_all=true). Therefore, error routes are not<br /> flushed when their nexthop object is deleted:<br /> <br /> # ip link add name dummy1 up type dummy<br /> # ip nexthop add id 1 dev dummy1<br /> # ip route add 198.51.100.1/32 nhid 1<br /> # ip route add blackhole 198.51.100.2/32 nhid 1<br /> # ip nexthop del id 1<br /> # ip route show<br /> blackhole 198.51.100.2 nhid 1 dev dummy1<br /> <br /> As such, they keep holding a reference on the nexthop object which in<br /> turn holds a reference on the nexthop device, resulting in a reference<br /> count leak:<br /> <br /> # ip link del dev dummy1<br /> [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2<br /> <br /> Fix by flushing error routes when their nexthop is marked as dead.<br /> <br /> IPv6 does not suffer from this problem.