Home

Description

In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check. Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.

PUBLISHED Reserved 2026-01-13 | Published 2026-03-26 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before e9cf17b91e733fec725ebcc0b3098bc5ccd505e0
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before 3c11b5c2436a3a5b450612ab160e3a525b28cfb5
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before aa0574182c46963c3cdb8cde46ec93aca21100d8
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before 224f4678812e1a7bc8341bcb666773a0aec5ea6f
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before ec8bf0571b142f29dc0b68ae2ac3952f7a464b38
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before 3932620c04c2938c93c0890c225960d3d34ba355
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before 4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before dbdfaae9609629a9569362e3b8f33d0a20fd783c
affected

Default status
affected

2.6.31
affected

Any version before 2.6.31
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.167 (semver)
unaffected

6.6.130 (semver)
unaffected

6.12.78 (semver)
unaffected

6.18.20 (semver)
unaffected

6.19.10 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/e9cf17b91e733fec725ebcc0b3098bc5ccd505e0

git.kernel.org/...c/3c11b5c2436a3a5b450612ab160e3a525b28cfb5

git.kernel.org/...c/aa0574182c46963c3cdb8cde46ec93aca21100d8

git.kernel.org/...c/224f4678812e1a7bc8341bcb666773a0aec5ea6f

git.kernel.org/...c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38

git.kernel.org/...c/3932620c04c2938c93c0890c225960d3d34ba355

git.kernel.org/...c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6

git.kernel.org/...c/dbdfaae9609629a9569362e3b8f33d0a20fd783c

cve.org (CVE-2026-23397)

nvd.nist.gov (CVE-2026-23397)

Download JSON