Skip to main content

Linux Kernel CVE-2026-46244

| EUVD-2026-34106 CRITICAL
2026-06-03 Linux GHSA-fgx8-r5g7-5cr9
Authentication Bypass Linux
9.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 05, 2026 - 07:24 vuln.today
CVSS changed
Jun 05, 2026 - 07:22 NVD
9.1 (CRITICAL)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:48 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 03, 2026 - 15:48 nvd
CRITICAL 9.1

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_inner: Fix IPv6 inner_thoff desync

In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong - points to extension header start) and l4proto (correct - e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.

For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.

AnalysisAI

Firewall bypass in the Linux kernel's netfilter nft_inner module (versions 6.2 and later) allows remote attackers to forge transport headers in tunneled IPv6 packets due to a desynchronization between the computed inner transport header offset and the parsed L4 protocol. The flaw enables crafted IPv6 packets carrying extension headers to evade nftables inner-payload matching rules, with no public exploit identified at time of analysis and an EPSS score of 0.02% indicating negligible observed exploitation activity.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Linux gateway with nft_inner IPv6 rules
Delivery
Craft tunneled IPv6 packet with extension headers
Exploit
Send to target tunnel endpoint
Execution
nft_inner mis-parses inner_thoff vs l4proto
Persist
nftables rule evaluates wrong header bytes
Impact
Disallowed inner flow bypasses firewall policy
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be a Linux host running kernel 6.2 or later that processes tunneled traffic and has an nftables ruleset using the nft_inner expression to match on inner IPv6 payloads (typical of VXLAN/Geneve/IPIP6 decapsulation gateways, Kubernetes/overlay network nodes, or VPN concentrators that filter on the encapsulated flow). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals diverge sharply on this one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on a network path that reaches a Linux gateway running nftables inner-payload rules on tunneled IPv6 traffic crafts an encapsulated IPv6 packet containing one or more extension headers before the real transport protocol. Because nft_inner mis-parses inner_thoff while keeping the correct l4proto, the firewall evaluates the rule against the wrong bytes and admits traffic it should drop, allowing policy bypass to a service that nftables was supposed to protect. …
Remediation Vendor-released patch: upgrade to Linux 6.6.142, 6.12.92, 6.18.34, 7.0.11, or 7.1-rc5 (or later) per the stable-tree fix commits at git.kernel.org (c161ad9, 870d59e, 689bbf4, d0f98a3, b6a91f6); on distribution kernels, install the vendor kernel update that incorporates these backports once published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Linux systems running kernel versions 6.2 and later that use nftables firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46266 CRITICAL
9.1 Jun 03

Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (proto
CVE-2026-46264 HIGH
8.8 Jun 03

Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initial
CVE-2026-46273 HIGH
8.6 Jun 03

Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical net
CVE-2026-46251 HIGH
8.4 Jun 03

Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger mem
CVE-2026-46270 HIGH
8.4 Jun 03

Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or s

Share

CVE-2026-46244 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy