### [CVE-2025-21648](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21648)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=4.7%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=9cc1c73ad66610bffc80b691136ffc1e9a3b1a58%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)

### Description

In the Linux kernel, the following vulnerability has been resolved:netfilter: conntrack: clamp maximum hashtable size to INT_MAXUse INT_MAX as maximum size for the conntrack hashtable. Otherwise, itis possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() whenresizing hashtable because __GFP_NOWARN is unset. See:  0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls")Note: hashtable resize is only possible from init_netns.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/oogasawa/Utility-security
- https://github.com/w4zu/Debian_security