CVE-2026-45860
Awaiting Analysis Awaiting Analysis - Queue
Memory Leak in Linux Kernel Netfilter Connection Tracking

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: increase the connection clean up limit to 64 After the optimization to only perform one GC per jiffy, a new problem was introduced. If more than 8 new connections are tracked per jiffy the list won't be cleaned up fast enough possibly reaching the limit wrongly. In order to prevent this issue, only skip the GC if it was already triggered during the same jiffy and the increment is lower than the clean up limit. In addition, increase the clean up limit to 64 connections to avoid triggering GC too often and do more effective GCs. This has been tested using a HTTP server and several performance tools while having nft_connlimit/xt_connlimit or OVS limit configured. Output of slowhttptest + OVS limit at 52000 connections: slow HTTP test status on 340th second: initializing: 0 pending: 432 connected: 51998 error: 0 closed: 0 service available: YES
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45860
EUVD
EUVD-2026-32326
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel linux_kernel *
linux_kernel linux_kernel to 64 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nf_conncount module which tracks network connections.

After an optimization was made to perform only one garbage collection (GC) per jiffy (a unit of time), a problem was introduced where if more than 8 new connections are tracked in a single jiffy, the connection list would not be cleaned up quickly enough, potentially causing the connection limit to be reached incorrectly.

To fix this, the cleanup limit was increased from 8 to 64 connections, and the GC skipping logic was adjusted to only skip if GC was already triggered during the same jiffy and the increment is below the cleanup limit. This change helps avoid triggering GC too often and makes garbage collection more effective.

Impact Analysis

If this vulnerability is present, the system may incorrectly reach the connection tracking limit due to insufficient cleanup of tracked connections when many new connections occur in a short time.

This could lead to degraded network performance or denial of service conditions because new connections might be blocked or mishandled when the connection tracking list appears full.

The fix increases the cleanup limit and improves garbage collection efficiency, helping maintain proper connection tracking and system stability under high connection loads.

Mitigation Strategies

The vulnerability relates to the nf_conncount module in the Linux kernel where connection cleanup limits were too low, causing potential issues when tracking many new connections per jiffy.

To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes the fix which increases the connection cleanup limit to 64 and adjusts the garbage collection logic to avoid skipping GC improperly.

Specifically, update your system to the patched kernel version that contains the fix for nf_conncount as described.

Detection Guidance

This vulnerability relates to the Linux kernel's netfilter connection tracking and garbage collection mechanism, specifically when more than 8 new connections are tracked per jiffy, potentially causing the connection list to not be cleaned up fast enough.

To detect if your system is affected, you can monitor connection tracking statistics and observe if the connection tracking table is reaching its limits or if there is an unusually high number of pending or connected connections that are not being cleaned up.

Commands that may help in detecting this issue include:

  • Check connection tracking table size and usage: sudo cat /proc/net/nf_conntrack or sudo conntrack -L
  • Monitor the number of new connections per jiffy by observing system performance tools or custom scripts that track connection creation rates.
  • Use tools like 'slowhttptest' to simulate slow HTTP connections and observe connection states, as was done in testing.
  • Check kernel logs for any related netfilter or connection tracking warnings or errors.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart