Skip to main content

Linux Kernel CVE-2026-43190

| EUVDEUVD-2026-27750 HIGH
Out-of-bounds Read (CWE-125)
2026-05-06 Linux GHSA-395h-h5jq-ggp6
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:35 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.2 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 8.2

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_tcpmss: check remaining length before reading optlen

Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length.

If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).

AnalysisAI

Out-of-bounds read in the Linux kernel's netfilter xt_tcpmss module allows remote unauthenticated attackers to leak memory contents and potentially cause system crashes via malformed TCP options. The xt_tcpmss TCP option parser fails to validate remaining option length before reading optlen values, triggering memory access beyond buffer boundaries when processing crafted packets. EPSS exploitation probability is low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the network attack vector (AV:N) and lack of authentication requirements (PR:N) make this exploitable against any system using netfilter with TCP MSS clamping enabled.

Technical ContextAI

The vulnerability resides in net/netfilter/xt_tcpmss.c, specifically in the TCP options parsing logic (lines 53-68). Netfilter's xt_tcpmss module implements TCP Maximum Segment Size clamping, a common technique to prevent MTU-related packet fragmentation issues in network address translation and VPN scenarios. The parser iterates through TCP option fields but performs unsafe array indexing by reading op[i+1] without first verifying that i+1 remains within the optlen boundary. When a malformed TCP packet contains option bytes at the end of the option field that are neither EOL (0x00) nor NOP (0x01), the code attempts to read the option length byte at position i+1. If this occurs when i+1 equals or exceeds optlen, the read accesses memory beyond either the stack-allocated _opt buffer or extends into subsequent packet payload data. This is a classic buffer over-read vulnerability affecting packet processing in kernel space, where boundary checks must be rigorous due to untrusted network input. The affected code path executes during TCP packet filtering, meaning any system with iptables/nftables rules using TCP MSS clamping processes these options in kernel context.

RemediationAI

Apply vendor-supplied kernel patches immediately for affected versions. Specific fix versions: upgrade to Linux 5.10.252 or later for 5.10.x branch, 5.15.202+ for 5.15.x LTS, 6.1.165+ for 6.1.x LTS, 6.6.128+ for 6.6.x LTS, 6.12.75+ for 6.12.x, 6.18.16+ for 6.18.x, 6.19.6+ for 6.19.x, or 7.0+ for mainline. All patches implement bounds checking before reading TCP option length bytes in net/netfilter/xt_tcpmss.c. Consult your Linux distribution's security advisory channels (e.g., RHSA, USN, SUSE Security Update) for distribution-specific kernel packages. For systems unable to patch immediately, compensating controls include: (1) Disable xt_tcpmss module and remove TCP MSS clamping iptables/nftables rules if not operationally required - this eliminates the vulnerable code path but may cause MTU issues for NATed/VPN traffic; verify application compatibility before implementing. (2) Implement strict network ingress filtering to block malformed TCP packets at network perimeter before reaching vulnerable hosts - requires deep packet inspection capability and may impact performance; effectiveness depends on attacker's ability to bypass filtering. (3) Deploy kernel runtime protection mechanisms like grsecurity/PaX if available for your distribution - adds exploit mitigation but does not fix root cause. Patch references and validation commits available at https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3 and related stable tree commits. Reboot required after kernel update to activate patched code.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy