HIGH
netfilter ConnCount Bypass
CVE-2026-23139
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: update last_gc only when GC has been performed Currently last_gc is being updated everytime a new connection is tracked, that means that it is updated even if a GC wasn't performed. With a sufficiently high packet rate, it is possible to always bypass the GC, causing the list to grow infinitely. Update the last_gc value only when a GC has been actually performed.
02KernelScan AI Analysis
Risk summary
Network-facing systems using netfilter connection tracking are vulnerable to denial of service attacks. Attackers can send high-rate connection attempts to bypass garbage collection, causing connection lists to grow infinitely and consuming system memory until the kernel becomes unresponsive.
Vulnerability analysis
The vulnerability stems from incorrect timestamp management in netfilter's connection counting mechanism. The last_gc timestamp was updated on every new connection regardless of whether garbage collection actually ran, allowing attackers to maintain high packet rates that perpetually bypass GC checks. The fix moves the timestamp update to only occur after successful garbage collection, ensuring that resource cleanup cannot be indefinitely postponed. This affects any network-facing system using netfilter connection tracking limits.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.161 | 2c7c71113ed6 |
| 6.12 | 6.12.66 | 9f45588993d7 |
| 6.18 | 6.18.6 | 3cd717359e56 |
| 6.6 | 6.6.121 | c4cde57c8aff |
| mainline | 6.19 | 26a82dce2bee |