Skip to main content

Linux Kernel CVE-2026-52998

| EUVDEUVD-2026-38866 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-24 Linux GHSA-pphc-92v7-v4w2
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N), but AC:H because it requires a non-default osf ruleset plus the specific NULL skb->dev path; availability-only impact (A:H).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:45 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check

The nf_osf_ttl() function accessed skb->dev to perform a local interface address lookup without verifying that the device pointer was valid.

Additionally, the implementation utilized an in_dev_for_each_ifa_rcu loop to match the packet source address against local interface addresses. It assumed that packets from the same subnet should not see a decrement on the initial TTL. A packet might appear it is from the same subnet but it actually isn't especially in modern environments with containers and virtual switching.

Remove the device dereference and interface loop. Replace the logic with a switch statement that evaluates the TTL according to the ttl_check.

AnalysisAI

Kernel panic (denial of service) in the Linux kernel netfilter nfnetlink_osf module occurs because nf_osf_ttl() dereferences skb->dev during its TTL check without validating the device pointer, allowing a crafted packet to trigger a NULL pointer dereference on hosts using the OS-fingerprint (osf) match. The flaw affects systems with nftables/iptables rulesets that employ the osf TTL check, and is rated availability-only impact (CVSS 7.5, AV:N/A:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify host using netfilter osf match
Delivery
Send crafted packet over network
Exploit
Reach nf_osf_ttl with NULL skb->dev
Execution
Trigger NULL pointer dereference
Impact
Kernel panic / denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Linux host to be running an nftables or iptables ruleset that uses the netfilter 'osf' (passive OS fingerprint) match, since nf_osf_ttl() is only reached through that feature - this is a non-default configuration and is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows (or guesses) that a target host runs an nftables/iptables ruleset using the osf OS-fingerprint match sends specially crafted packets across the network that reach the osf TTL check on a code path where skb->dev is NULL, causing a kernel NULL pointer dereference and panic that takes the host offline. No authentication or user interaction is required, but the target must have the osf match configured; no public PoC is currently known.
Remediation Apply the vendor-released patch by upgrading to a fixed stable kernel for your branch: 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, or 6.18.33 (or later within the series), per the stable commits at https://git.kernel.org/stable/c/f4de0777e4554a7de19c920accde6319dd530782 and the related commits listed in EUVD-2026-38866; distribution users should take their vendor's corresponding kernel update. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify systems using nftables/iptables osf (OS-fingerprint) match rules-only these are vulnerable. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52998 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy