CVE-2026-45860

Source
https://cve.org/CVERecord?id=CVE-2026-45860
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45860.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45860
Downstream
Published
2026-05-27T12:15:40.080Z
Modified
2026-07-08T08:13:38.950156036Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
netfilter: nf_conncount: increase the connection clean up limit to 64
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conncount: increase the connection clean up limit to 64

After the optimization to only perform one GC per jiffy, a new problem was introduced. If more than 8 new connections are tracked per jiffy the list won't be cleaned up fast enough possibly reaching the limit wrongly.

In order to prevent this issue, only skip the GC if it was already triggered during the same jiffy and the increment is lower than the clean up limit. In addition, increase the clean up limit to 64 connections to avoid triggering GC too often and do more effective GCs.

This has been tested using a HTTP server and several performance tools while having nftconnlimit/xtconnlimit or OVS limit configured.

Output of slowhttptest + OVS limit at 52000 connections:

slow HTTP test status on 340th second: initializing: 0 pending: 432 connected: 51998 error: 0 closed: 0 service available: YES

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45860.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f106694733c66a48740c25bc4e212e9b2ea364ce
Fixed
a5c9e14e0e8923218ae881d5e78c990c07694966
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
be69850b461e7b491d87a22e33ab76fdd04b725e
Fixed
13eede458fdf231f1bf96a398feea4ad1553f14c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d265929930e2ffafc744c0ae05fb70acd53be1ee
Fixed
fa85432d58c8e74b39333edbf8d28df2985dfc79
Fixed
0792ad077d776c2dcf20f0484e2461ded1b77a24
Fixed
3d0994ed0aa1fc0a2c5e620b765e8defdd021bff
Fixed
6e5fa7add3e76da068a478d905be64be8fa4e80a
Fixed
0af0812baf2d363176c9b76fc07e33f13aede8db
Fixed
21d033e472735ecec677f1ae46d6740b5e47a4f3
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5.10.248
Fixed
5.10.252
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5.15.198
Fixed
5.15.202

Affected versions

v5.*
v5.10.248
v5.10.249
v5.10.250
v5.10.251
v5.15.198
v5.15.199
v5.15.200
v5.15.201

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45860.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.252
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.202
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.165
Type
ECOSYSTEM
Events
Introduced
5.19.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45860.json"