CVE-2026-23397

HIGH EPSS 1.9%
Published Mar 26, 20263mo ago · Modified Jun 17, 20262w ago
7.1 CVSS 3.1
High
Find Similar
Published Mar 26, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check. Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 15

VendorProductVersionRange
linuxlinux_kernel*≥2.6.31.1  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.20
linuxlinux_kernel*≥6.19  –  <6.19.10
linuxlinux_kernel2.6.31any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/224f4678812e1a7bc8341bcb666773a0aec5ea6f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3932620c04c2938c93c0890c225960d3d34ba355
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3c11b5c2436a3a5b450612ab160e3a525b28cfb5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aa0574182c46963c3cdb8cde46ec93aca21100d8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dbdfaae9609629a9569362e3b8f33d0a20fd783c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e9cf17b91e733fec725ebcc0b3098bc5ccd505e0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/224f4678812e1a7bc8341bcb666773a0aec5ea6f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3932620c04c2938c93c0890c225960d3d34ba355
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3c11b5c2436a3a5b450612ab160e3a525b28cfb5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aa0574182c46963c3cdb8cde46ec93aca21100d8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dbdfaae9609629a9569362e3b8f33d0a20fd783c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e9cf17b91e733fec725ebcc0b3098bc5ccd505e0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38
    Patch