Skip to main content

Linux Kernel CVE-2026-45873

| EUVDEUVD-2026-32339 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9868-rgmf-pm96
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privilege (CAP_NET_ADMIN via user namespace) required to invoke nftables; no confidentiality or integrity impact, only kernel crash.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:15 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets

Userspace provides an optimized representation in case intervals are adjacent, where the end element is omitted.

The existing partial overlap detection logic skips anonymous set checks on start elements for this reason.

However, it is possible to add intervals that overlap to this anonymous where two start elements with the same, eg. A-B, A-C where C < B.

start end A B start end A C

Restore the check on overlapping start elements to report an overlap.

AnalysisAI

Denial-of-service via kernel crash in the Linux kernel's netfilter nft_set_rbtree subsystem, exploitable by a local user with nftables manipulation capability. The flaw lies in the partial overlap detection logic for anonymous sets: an optimization that omits end elements for adjacent intervals also inadvertently suppresses overlap checks on start elements, allowing two intervals sharing the same start point (e.g., A-B and A-C where C < B) to be inserted simultaneously, corrupting the red-black tree and triggering a kernel panic. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects low real-world exploitation probability, though the vulnerability is present across many long-term stable kernel branches.

Technical ContextAI

The affected component is nft_set_rbtree, the red-black tree backend for interval sets in Linux's nftables framework (netfilter). Anonymous sets are kernel-internal constructs used by nftables to represent match criteria within rules; they are distinct from named sets and carry a specific optimization: when two intervals are adjacent, the end element of the first may be omitted. The existing partial overlap detection code honored this optimization by skipping start-element overlap checks on anonymous sets entirely. The root cause is an incomplete invariant check - effectively a logic error (no CWE assigned by NVD, but analogous to CWE-682 Incorrect Calculation or CWE-20 Improper Input Validation). By crafting two interval rules with an identical start key but different end keys (A-B and A-C, C < B), the kernel can be made to insert both into the same rbtree node context, violating the tree's structural invariants and causing an unrecoverable kernel panic. Affected CPE: cpe:2.3:o:linux:linux_kernel across all major stable branches from 4.19 through pre-patch 7.0.

RemediationAI

The primary fix is upgrading to a patched kernel version. Confirmed patched stable releases per EUVD data include: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, and 7.0. Upstream fix commits are available at https://git.kernel.org/stable/c/029e5f6a95e905b12d6bc20421be32a01e0eb311 and related commits (05feaf826390, 4780ec142cbb, 7ca5813e1b21, dad14d22dff1, e6497e06a102, f1381ce0a1dd, f1535d56fc3f). Distribution vendors (Red Hat, Debian, Ubuntu, SUSE) will backport these patches to their kernel packages; check distribution security advisories for packaged fix versions. As a compensating control where patching is not immediately possible, disabling unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on systems that support it, or kernel.unprivileged_userns_clone=0 via /etc/sysctl.d/) removes the most common privilege escalation path to CAP_NET_ADMIN for untrusted local users - note this breaks some containerized workloads and sandboxed applications (e.g., Chromium, Podman rootless). Alternatively, restricting nftables access via AppArmor or SELinux policy to trusted processes limits exposure without affecting user namespaces broadly.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy