Skip to main content

Linux Kernel EUVDEUVD-2026-32167

| CVE-2026-45841 MEDIUM
Divide By Zero (CWE-369)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-w9m2-286p-3583
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local attack vector with low privilege (CAP_NET_ADMIN) required to inject fingerprint; no scope change; impact is pure availability loss (kernel panic) with no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 19:08 vuln.today
CVSS changed
Jun 26, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 11:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 11:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO

nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.

Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as "should not happen".

Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: <IRQ> nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622)

AnalysisAI

Divide-by-zero in the Linux kernel netfilter OSF module (nfnetlink_osf) allows a local user with CAP_NET_ADMIN to crash the kernel. By injecting a crafted OS fingerprint with a zero window scale value (wss.val=0) via nfnetlink, the attacker causes nf_osf_match_one() to execute an unguarded modulo operation when any subsequent matching TCP SYN packet is processed, resulting in a kernel panic and system-wide denial of service. No active exploitation is confirmed; EPSS sits at 0.02% (5th percentile), reflecting very low probability of widespread automated exploitation.

Technical ContextAI

The vulnerability is in net/netfilter/nfnetlink_osf.c within the xt_osf (OS fingerprinting) netfilter match module, present since Linux 2.6.31. The OSF subsystem maintains a userspace-loadable database of TCP SYN characteristics (window size, options) used to passively fingerprint remote OS types. In the OSF_WSS_MODULO branch of nf_osf_match_one() at line 98, the kernel computes ctx->window % f->wss.val to normalize the TCP window scale, but performs no guard for f->wss.val 0. A fingerprint with this zero value can be injected via nfnetlink by any process holding CAP_NET_ADMIN. The root cause is CWE-369 (Divide By Zero): the validation in nfnl_osf_add_callback() did not reject malformed fingerprints before they entered the match loop, and f->wss is per-fingerprint rather than per-option, so the bug triggers even when f->opt_num is 0. The fix adds rejection of wss.val 0 and wss.wc >= OSF_WSS_MAX at fingerprint registration time.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel: 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1-rc1 depending on the stable branch in use. Upstream fix commits are available at https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366 (and parallel commits for each branch listed in the references). Where immediate kernel patching is not possible, administrators should blacklist the xt_osf module by adding 'blacklist xt_osf' to /etc/modprobe.d/blacklist.conf and unloading it with 'rmmod xt_osf' - this eliminates the attack surface entirely but disables any netfilter rules relying on OS fingerprint matching. In containerized environments, audit and remove CAP_NET_ADMIN from all workloads that do not explicitly require it, as this capability is the prerequisite for fingerprint injection. See VulDB advisory https://vuldb.com/vuln/366056 for additional tracking.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Image SLES12-SP5-Azure-BYOS Affected
Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-EC2-SAP-On-Demand Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Fixed
openSUSE Tumbleweed Fixed

Share

EUVD-2026-32167 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy