Uncontrolled Recursion Affecting kernel-rt-debug-core package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Uncontrolled Recursion vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-CENTOS10-KERNELRTDEBUGCORE-13974711
- published14 Nov 2025
- disclosed12 Nov 2025
Introduced: 12 Nov 2025
CVE-2025-40206 (opens in a new tab)How to fix?
There is no fixed version for Centos:10 kernel-rt-debug-core.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-rt-debug-core package and not the kernel-rt-debug-core package as distributed by Centos.
See How to fix? for Centos:10 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_objref: validate objref and objrefmap expressions
Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls:
BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip6_route+0x23/0x50 synproxy_send_tcp_ipv6+0x106/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0 nft_synproxy_do_eval+0x263/0x310 nft_do_chain+0x5a8/0x5f0 [nf_tables nft_do_chain_inet+0x98/0x110 nf_hook_slow+0x43/0xc0 __ip6_local_out+0xf0/0x170 ip6_local_out+0x17/0x70 synproxy_send_tcp_ipv6+0x1a2/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0 [...]
Implement objref and objrefmap expression validate functions.
Currently, only NFT_OBJECT_SYNPROXY object type requires validation. This will also handle a jump to a chain using a synproxy object from the OUTPUT hook.
Now when trying to reference a synproxy object in the OUTPUT hook, nft will produce the following error:
synproxy_crash.nft: Error: Could not process rule: Operation not supported synproxy name mysynproxy ^^^^^^^^^^^^^^^^^^^^^^^^
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2414712
- https://access.redhat.com/security/cve/CVE-2025-40206
- https://git.kernel.org/stable/c/0028e0134c64d9ed21728341a74fcfc59cd0f944
- https://git.kernel.org/stable/c/4c1cf72ec10be5a9ad264650cadffa1fbce6fabd
- https://git.kernel.org/stable/c/7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0
- https://git.kernel.org/stable/c/f359b809d54c6e3dd1d039b97e0b68390b0e53e4