Skip to main content

Linux Kernel CVE-2026-45844

| EUVDEUVD-2026-32170 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v3rr-h24h-xgqw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

AV:L and PR:L confirmed by description; I:L added over NVD's I:N because incorrect filtering can pass traffic that arptables rules were intended to block.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 21:02 vuln.today
CVSS changed
Jun 26, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 11:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 11:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: arp_tables: fix IEEE1394 ARP payload parsing

Weiming Shi says:

"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.

As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.

The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()."

Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.

Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.

Moreover, adjust arpt_mangle to drop the packet too as AI suggests:

In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.

This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.

Based on patch from Weiming Shi <bestswngs@gmail.com>.

AnalysisAI

Incorrect ARP payload parsing in the Linux kernel's netfilter arptables subsystem causes filtering rules to evaluate against garbage data on systems with IEEE1394 (FireWire) network interfaces. The arp_packet_match() function and arpt_mangle both assume a standard dual-hardware-address ARP layout, but IPv4-over-IEEE1394 per RFC 2734 omits the target hardware address field - the same discrepancy the rest of the kernel ARP stack already handles correctly. The result is that arptables rules on FireWire interfaces silently malfunction: legitimate traffic may be dropped and traffic that should be blocked may be passed, with arpt_mangle additionally writing to wrong offsets and corrupting packets. No public exploit has been identified and EPSS is 0.02% (6th percentile), consistent with the extremely niche attack surface.

Technical ContextAI

The vulnerability resides in net/ipv4/netfilter/arp_tables.c within the Linux kernel Netfilter framework, affecting the arp_packet_match() function and the arpt_mangle target. IPv4-over-IEEE1394 (ARPHRD_IEEE1394, FireWire) ARP packets conform to RFC 2734, which specifies that the target hardware address field is absent from the ARP payload. The kernel helper arp_hdr_len() already returns a shorter length for ARPHRD_IEEE1394 devices, and net/ipv4/arp.c (arp_create and arp_process) correctly skips the target hardware address for these devices. However, arp_packet_match() unconditionally advances the payload pointer past a nonexistent target hardware address field, then reads incorrect bytes for both the target hardware address comparison and the target IP address - an out-of-bounds read driven by an incorrect length assumption for this protocol variant. arpt_mangle compounds the issue by using the same flawed pointer arithmetic, writing mangle operations to wrong offsets and producing corrupted IEEE1394 ARP packets. No CWE is formally assigned by NVD; the root cause class is an incorrect buffer offset calculation (analogous to CWE-125 out-of-bounds read). CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade the Linux kernel to a patched stable release: 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1-rc2, as confirmed by EUVD-2026-32170. Upstream fix commits are published at https://git.kernel.org/stable/c/03ea11dbefaa55c502735ee551c89ef773fe753b, https://git.kernel.org/stable/c/1c55053f8ffdc060006df898fd3664e3d1bfac7b, https://git.kernel.org/stable/c/ac698d81fd6619c7504cee913f1cab5285fba1b7, https://git.kernel.org/stable/c/ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b, and additional stable tree commits. For systems that cannot be patched immediately, the most effective compensating control is to remove any arptables rules that match on target hardware addresses for IEEE1394 interfaces - the fix itself returns no-match for such rules, so removing them replicates the patched behavior with no loss of previously functional filtering capability, since target hardware address matching on ARPHRD_IEEE1394 was never correctly supported. If IEEE1394 networking is entirely unused on a system, confirming no arptables rules reference those interfaces eliminates the code path entirely. No kernel module unload or service restart is required beyond the standard kernel upgrade and reboot cycle.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-45844 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy