CVE-2026-45860
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
30/05/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netfilter: nf_conncount: increase the connection clean up limit to 64<br />
<br />
After the optimization to only perform one GC per jiffy, a new problem<br />
was introduced. If more than 8 new connections are tracked per jiffy the<br />
list won&#39;t be cleaned up fast enough possibly reaching the limit<br />
wrongly.<br />
<br />
In order to prevent this issue, only skip the GC if it was already<br />
triggered during the same jiffy and the increment is lower than the<br />
clean up limit. In addition, increase the clean up limit to 64<br />
connections to avoid triggering GC too often and do more effective GCs.<br />
<br />
This has been tested using a HTTP server and several<br />
performance tools while having nft_connlimit/xt_connlimit or OVS limit<br />
configured.<br />
<br />
Output of slowhttptest + OVS limit at 52000 connections:<br />
<br />
slow HTTP test status on 340th second:<br />
initializing: 0<br />
pending: 432<br />
connected: 51998<br />
error: 0<br />
closed: 0<br />
service available: YES
Impacto
Puntuación base 3.x
7.50
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/0792ad077d776c2dcf20f0484e2461ded1b77a24
- https://git.kernel.org/stable/c/0af0812baf2d363176c9b76fc07e33f13aede8db
- https://git.kernel.org/stable/c/13eede458fdf231f1bf96a398feea4ad1553f14c
- https://git.kernel.org/stable/c/21d033e472735ecec677f1ae46d6740b5e47a4f3
- https://git.kernel.org/stable/c/3d0994ed0aa1fc0a2c5e620b765e8defdd021bff
- https://git.kernel.org/stable/c/6e5fa7add3e76da068a478d905be64be8fa4e80a
- https://git.kernel.org/stable/c/a5c9e14e0e8923218ae881d5e78c990c07694966
- https://git.kernel.org/stable/c/fa85432d58c8e74b39333edbf8d28df2985dfc79



