CVE-2026-45860 Linux CVE debrief

Who should care

Organizations running Linux-based network infrastructure with connection limiting features enabled, particularly those using nftables connlimit rules, iptables xt_connlimit, or Open vSwitch connection rate limiting. Cloud providers and hosting platforms with multi-tenant networking may experience service degradation if connection limits are incorrectly enforced.

Technical summary

The nf_conncount mechanism in Linux netfilter tracks per-address connection counts for enforcing connection limits. A previous optimization restricted garbage collection to once per jiffy (typically 1-10ms depending on HZ configuration) to reduce overhead. However, this created a race condition: if new connections arrive faster than 8 per jiffy, stale entries accumulate and the connection list fills, triggering false limit violations. The fix implements conditional GC skipping—only bypassing cleanup if GC already ran this jiffy AND the current increment is below the new 64-connection threshold. This balances cleanup efficiency with correctness under high-throughput scenarios.

Defensive priority

medium

Recommended defensive actions

• Review kernel version and apply appropriate stable kernel update containing the nf_conncount fix
• Monitor connection tracking tables for unexpected limit enforcement under high connection rates
• If running nftables connlimit or OVS connection limits, prioritize patching
• Consider connection rate limiting at network edge as temporary mitigation if patching is delayed
• Validate connection limit behavior under load after applying updates

Evidence notes

The vulnerability description indicates this was resolved in the Linux kernel netfilter nf_conncount subsystem. Multiple stable kernel branch commits are referenced, suggesting backports to various kernel versions. The fix was validated using HTTP server performance testing with slowhttptest and OVS limit configurations at 52,000 connections.

Official resources