Skip to main content

Linux CVE-2026-23397

| EUVDEUVD-2026-16157 HIGH
Out-of-bounds Read (CWE-125)
2026-03-26 Linux
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Red Hat
4.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Apr 24, 2026 - 15:22 NVD
7.1 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 10:45 euvd
EUVD-2026-16157
Analysis Generated
Mar 26, 2026 - 10:45 vuln.today
CVE Published
Mar 26, 2026 - 10:22 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

nfnetlink_osf: validate individual option lengths in fingerprints

nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL:

Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573)

Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check.

Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.

AnalysisAI

Linux kernel nfnetlink_osf module fails to validate TCP option lengths in OS fingerprint definitions, allowing null pointer dereference and out-of-bounds memory reads when processing packets with malformed or missing TCP options. The vulnerability affects Linux kernel versions across multiple stable branches (6.1.x through 6.19.x and 7.0-rc5), with EPSS score of 0.02% indicating low practical exploitation probability despite the memory safety issue. No public exploit code or active exploitation has been reported.

Technical ContextAI

The nfnetlink_osf (netfilter OS fingerprinting) module in the Linux kernel validates OS fingerprints used for packet classification via netfilter rules. The vulnerable code path exists in nfnl_osf_add_callback() and nf_osf_match_one() functions within net/netfilter/nfnetlink_osf.c. The root cause is CWE-125 (out-of-bounds read) and CWE-476 (null pointer dereference) stemming from inadequate input validation: fingerprint definitions containing TCP options with zero length or MSS options (kind=2) with length less than 4 bytes are accepted at fingerprint registration time. When matching against incoming packets, the code unconditionally accesses optp[2] and optp[3] for MSS extraction without bounds checking, and enters option matching loops even when the total option size is zero, causing reads from ctx->optp which may be NULL for packets without TCP options. This affects all Linux distributions shipping the affected kernel versions per CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Update the Linux kernel to patched versions: Linux 6.1.167 or later, Linux 6.6.130 or later, Linux 6.12.78 or later, Linux 6.18.20 or later, Linux 6.19.10 or later, or Linux 7.0-rc5 or later depending on the currently deployed series. For systems unable to immediately apply kernel updates, disable the nfnetlink_osf module by removing it from modprobe configuration (echo 'blacklist nfnetlink_osf' >> /etc/modprobe.d/blacklist.conf) or by modifying iptables/nftables rules to not use OS fingerprinting matching. Systems that do not use netfilter OS fingerprinting features are not vulnerable. Kernel updates should be tested in non-production environments prior to deployment, and systems relying on nfnetlink_osf for security policies should prioritize patching. Consult vendor-specific advisory documentation from Debian and SUSE (as indicated by tags) for distribution-specific patch availability and timelines.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid vulnerable 6.19.8-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy