Skip to main content

Linux Kernel CVE-2026-52999

| EUVDEUVD-2026-38867 CRITICAL
Out-of-bounds Read (CWE-125)
2026-06-24 Linux GHSA-vhgw-q6q5-v9w3
9.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
3.7 LOW

Remote packets trigger it (AV:N) but it needs the non-default NF_OSF_LOGLEVEL_ALL osf config and an exact match (AC:H); the over-read corrupts logging without attacker-readable disclosure (C:N/I:N), minor availability/correctness impact (A:L).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:46 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.1 (CRITICAL)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
CRITICAL 9.1
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_osf: fix out-of-bounds read on option matching

In nf_osf_match(), the nf_osf_hdr_ctx structure is initialized once and passed by reference to nf_osf_match_one() for each fingerprint checked. During TCP option parsing, nf_osf_match_one() advances the shared ctx->optp pointer.

If a fingerprint perfectly matches, the function returns early without restoring ctx->optp to its initial state. If the user has configured NF_OSF_LOGLEVEL_ALL, the loop continues to the next fingerprint. However, because ctx->optp was not restored, the next call to nf_osf_match_one() starts parsing from the end of the options buffer. This causes subsequent matches to read garbage data and fail immediately, making it impossible to log more than one match or logging incorrect matches.

Instead of using a shared ctx->optp pointer, pass the context as a constant pointer and use a local pointer (optp) for TCP option traversal. This makes nf_osf_match_one() strictly stateless from the caller's perspective, ensuring every fingerprint check starts at the correct option offset.

AnalysisAI

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_osf (passive OS fingerprinting) module occurs when the shared nf_osf_hdr_ctx->optp pointer is not reset after a fingerprint fully matches during TCP option parsing. Affecting systems that use the osf match with NF_OSF_LOGLEVEL_ALL enabled, the flaw causes subsequent fingerprint checks to parse beyond the end of the TCP options buffer, reading garbage data and producing incorrect or missing match logs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach host with osf rule + LOGLEVEL_ALL
Delivery
Send crafted TCP options packet
Exploit
Trigger exact early fingerprint match
Execution
Cursor left past buffer end
Persist
Next compare reads out-of-bounds
Impact
Corrupted/incorrect fingerprint logging

Vulnerability AssessmentAI

Exploitation Requires the target to be running the netfilter passive OS fingerprinting feature (the 'osf' match in nftables/iptables backed by nfnetlink_osf) AND to have NF_OSF_LOGLEVEL_ALL configured - the description explicitly states the faulty loop only continues 'If the user has configured NF_OSF_LOGLEVEL_ALL.' The attacker must be able to send TCP packets that reach the osf-matched ruleset and must produce at least one exact fingerprint match to leave the cursor unrestored. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator configures an nftables/iptables osf fingerprinting rule with NF_OSF_LOGLEVEL_ALL on an internet-facing host. A remote host sends TCP packets crafted so that an early fingerprint matches exactly, leaving the option cursor unrestored; the kernel then reads past the TCP options buffer on the next comparison, producing incorrect/garbage fingerprint logs and at most an out-of-bounds read. …
Remediation Apply the vendor kernel update for your branch - Vendor-released patch: upgrade to at least 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 as appropriate (commit fixes at https://git.kernel.org/stable/c/f5ca450087c3baf3651055e7a6de92600f827af3 and the other stable commits listed in CVE-2026-52999). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Linux with netfilter osf match and NF_OSF_LOGLEVEL_ALL configured; assess operational criticality of OS fingerprinting feature. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy