CVE-2025-40206

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-40206
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40206.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-40206
Downstream
Published
2025-11-12T21:56:35Z
Modified
2025-11-13T03:42:13.361674Z
Summary
netfilter: nft_objref: validate objref and objrefmap expressions
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_objref: validate objref and objrefmap expressions

Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls:

BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: _findrrleaf+0x99/0x230 fib6tablelookup+0x13b/0x2d0 ip6polroute+0xa4/0x400 fib6rulelookup+0x156/0x240 ip6routeoutputflags+0xc6/0x150 _nfip6route+0x23/0x50 synproxysendtcpipv6+0x106/0x200 synproxysendclientsynackipv6+0x1aa/0x1f0 nftsynproxydoeval+0x263/0x310 nftdochain+0x5a8/0x5f0 [nftables nftdochaininet+0x98/0x110 nfhookslow+0x43/0xc0 _ip6localout+0xf0/0x170 ip6localout+0x17/0x70 synproxysendtcpipv6+0x1a2/0x200 synproxysendclientsynack_ipv6+0x1aa/0x1f0 [...]

Implement objref and objrefmap expression validate functions.

Currently, only NFTOBJECTSYNPROXY object type requires validation. This will also handle a jump to a chain using a synproxy object from the OUTPUT hook.

Now when trying to reference a synproxy object in the OUTPUT hook, nft will produce the following error:

synproxy_crash.nft: Error: Could not process rule: Operation not supported synproxy name mysynproxy ^^^^^^^^^^^^^^^^^^^^^^^^

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ee394f96ad7517fbc0de9106dcc7ce9efb14f264
Fixed
0028e0134c64d9ed21728341a74fcfc59cd0f944
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ee394f96ad7517fbc0de9106dcc7ce9efb14f264
Fixed
7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ee394f96ad7517fbc0de9106dcc7ce9efb14f264
Fixed
4c1cf72ec10be5a9ad264650cadffa1fbce6fabd
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ee394f96ad7517fbc0de9106dcc7ce9efb14f264
Fixed
f359b809d54c6e3dd1d039b97e0b68390b0e53e4

Affected versions

v5.*

v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.3
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.52
v6.12.53
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.17.1
v6.17.2
v6.17.3
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.100
v6.6.101
v6.6.102
v6.6.103
v6.6.104
v6.6.105
v6.6.106
v6.6.107
v6.6.108
v6.6.109
v6.6.11
v6.6.110
v6.6.111
v6.6.112
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.6.97
v6.6.98
v6.6.99
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0028e0134c64d9ed21728341a74fcfc59cd0f944",
        "signature_version": "v1",
        "id": "CVE-2025-40206-0652f8ec",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "52990538692447528612205677088158529522",
                "69869238721636315315949022058642850530",
                "60175747657530082264716685923980272474",
                "338205057034336150730470756437338451439",
                "251300141053243095866321258479873610832",
                "227717150923474254790733774918257932582",
                "339576860334779818055178277315976927725",
                "81397977820263085581148674676868003540",
                "289330054589378902017093637670003358043",
                "38678324679768674604617366246355994881",
                "61030496135242720247217254008645937753",
                "238712722546714423990547070978332221291",
                "49224946402876133267968355537022390564",
                "78650629407568676814687981594980553657"
            ]
        },
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nft_objref.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c1cf72ec10be5a9ad264650cadffa1fbce6fabd",
        "signature_version": "v1",
        "id": "CVE-2025-40206-07c36886",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "52990538692447528612205677088158529522",
                "69869238721636315315949022058642850530",
                "60175747657530082264716685923980272474",
                "338205057034336150730470756437338451439",
                "251300141053243095866321258479873610832",
                "227717150923474254790733774918257932582",
                "339576860334779818055178277315976927725",
                "81397977820263085581148674676868003540",
                "289330054589378902017093637670003358043",
                "38678324679768674604617366246355994881",
                "61030496135242720247217254008645937753",
                "238712722546714423990547070978332221291",
                "49224946402876133267968355537022390564",
                "78650629407568676814687981594980553657"
            ]
        },
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nft_objref.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0",
        "signature_version": "v1",
        "id": "CVE-2025-40206-53a3c6e8",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "52990538692447528612205677088158529522",
                "69869238721636315315949022058642850530",
                "60175747657530082264716685923980272474",
                "338205057034336150730470756437338451439",
                "251300141053243095866321258479873610832",
                "227717150923474254790733774918257932582",
                "339576860334779818055178277315976927725",
                "81397977820263085581148674676868003540",
                "289330054589378902017093637670003358043",
                "38678324679768674604617366246355994881",
                "61030496135242720247217254008645937753",
                "238712722546714423990547070978332221291",
                "49224946402876133267968355537022390564",
                "78650629407568676814687981594980553657"
            ]
        },
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nft_objref.c"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f359b809d54c6e3dd1d039b97e0b68390b0e53e4",
        "signature_version": "v1",
        "id": "CVE-2025-40206-bd93c6d3",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "52990538692447528612205677088158529522",
                "69869238721636315315949022058642850530",
                "60175747657530082264716685923980272474",
                "338205057034336150730470756437338451439",
                "251300141053243095866321258479873610832",
                "227717150923474254790733774918257932582",
                "339576860334779818055178277315976927725",
                "81397977820263085581148674676868003540",
                "289330054589378902017093637670003358043",
                "38678324679768674604617366246355994881",
                "61030496135242720247217254008645937753",
                "238712722546714423990547070978332221291",
                "49224946402876133267968355537022390564",
                "78650629407568676814687981594980553657"
            ]
        },
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nft_objref.c"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.4.0
Fixed
6.6.113
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.54
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.17.4