Time-of-check Time-of-use (TOCTOU) The advisory has been revoked - it doesn't affect any version of package python-perf  (opens in a new tab)

The Centos security team deemed this advisory irrelevant for Centos:7.

Note: Versions mentioned in the description apply only to the upstream python-perf package and not the python-perf package as distributed by Centos.

In the Linux kernel, the following vulnerability has been resolved:

Revert "openvswitch: switch to per-action label counting in conntrack"

Currently, ovs_ct_set_labels() is only called for confirmed conntrack entries (ct) within ovs_ct_commit(). However, if the conntrack entry does not have the labels_ext extension, attempting to allocate it in ovs_ct_get_conn_labels() for a confirmed entry triggers a warning in nf_ct_ext_add():

WARN_ON(nf_ct_is_confirmed(ct));

This happens when the conntrack entry is created externally before OVS increments net->ct.labels_used. The issue has become more likely since commit fcb1aa5163b1 ("openvswitch: switch to per-action label counting in conntrack"), which changed to use per-action label counting and increment net->ct.labels_used when a flow with ct action is added.

Since there’s no straightforward way to fully resolve this issue at the moment, this reverts the commit to avoid breaking existing use cases.

• https://access.redhat.com/security/cve/CVE-2025-21958
• https://git.kernel.org/stable/c/1063ae07383c0ddc5bcce170260c143825846b03
• https://git.kernel.org/stable/c/9e79fdabd52cfce1a021640a81256878a2c516a2
• https://git.kernel.org/stable/c/d91bfc64a4886102746e74d2c6f3a61e9a77fd7d