Skip to main content

Linux Kernel CVE-2026-43452

| EUVDEUVD-2026-28758 HIGH
2026-05-08 Linux GHSA-3jfw-v6mf-ccwx
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:36 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
8.2 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 8.2

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: guard option walkers against 1-byte tail reads

When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area.

Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers.

AnalysisAI

Out-of-bounds read in Linux kernel netfilter x_tables module allows remote attackers to disclose kernel memory and potentially cause denial of service. The xt_tcpudp and xt_dccp option walkers fail to validate boundaries when processing the last byte of TCP/UDP/DCCP options, triggering a 1-byte buffer over-read. CVSS 8.2 with network attack vector and no authentication required indicates high exploitability, though EPSS score of 0.02% (7th percentile) suggests minimal observed exploitation attempts. Patches available across all active kernel stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's netfilter subsystem, specifically the x_tables framework used for packet filtering and network address translation. The xt_tcpudp and xt_dccp modules implement option parsing for TCP, UDP, and DCCP protocols using iterators that advance through option fields with the pattern 'i += op[i + 1] ? : 1' to skip multi-byte options. When the final byte of an option block contains a non-single-byte option kind field without a corresponding length field, the walker attempts to read op[i + 1] beyond the allocated option buffer boundary. This bounds-checking failure constitutes a 1-byte buffer over-read, potentially exposing adjacent kernel memory contents. The affected code path executes during packet filtering operations when netfilter rules inspect TCP/UDP/DCCP options, making it reachable via network traffic processing. The CPE data indicates widespread impact across Linux kernel versions from 2.6.16 forward, with fixes backported to all currently maintained stable branches. The vulnerability stems from a classic off-by-one error pattern common in length-prefix parsing implementations where boundary conditions at buffer edges are not explicitly validated.

RemediationAI

Update to patched Linux kernel versions: 5.10.253 or later for 5.10.x series, 5.15.203+ for 5.15.x, 6.1.167+ for 6.1.x, 6.6.130+ for 6.6.x, 6.12.78+ for 6.12.x, 6.18.19+ for 6.18.x, 6.19.9+ for 6.19.x, or mainline 7.0+. Consult distribution-specific security advisories for vendor-supported kernel updates (RHEL, Ubuntu, Debian, SUSE kernels receive backported fixes independently). For systems unable to immediately patch, implement network-layer compensating controls: restrict netfilter rule sets to avoid TCP/UDP/DCCP option matching on untrusted traffic sources using iptables/nftables rules without '--tcp-option', '--udp-option', or DCCP equivalents, though this eliminates legitimate use cases for option-based filtering and may break application-layer protocols requiring option inspection. Alternatively, deploy network segmentation to prevent untrusted internet traffic from reaching vulnerable kernel packet processing paths, accepting reduced defense-in-depth for perimeter systems. These workarounds provide incomplete protection and carry operational trade-offs including reduced security policy granularity and potential application compatibility issues. Kernel patching remains the only complete remediation. Verify patch application with 'uname -r' output matching fixed version numbers and validate netfilter functionality post-update. Full references at https://git.kernel.org/stable/c/c2a445367a496a3c25dbc940c10c8bd1cfd4c14a and related commit links.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy