Home

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel. Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as "should not happen". Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: <IRQ> nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622)

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-06-01 | Assigner Linux

Product status

Default status
unaffected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before cb833bbc1b3c51e08652d3c86298307c07d3f2db
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before 26900306a5a2c3e4f75c643a064525526bb6e5f3
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before 0694618cf3e9b120666e31f5f383a6e466d95a0d
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before 8def8fbd23f40e945febe913d04b731012ce0082
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before c55940895245d8ef658ab381248a28755218d625
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before 9a05e195618a6d474f2bcd5b6376d0ffc2f00366
affected

11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (git) before 2195574dc6d9017d32ac346987e12659f931d932
affected

Default status
affected

2.6.31
affected

Any version before 2.6.31
unaffected

5.10.258 (semver)
unaffected

5.15.209 (semver)
unaffected

6.1.175 (semver)
unaffected

6.6.141 (semver)
unaffected

6.12.91 (semver)
unaffected

6.18.33 (semver)
unaffected

7.0.10 (semver)
unaffected

7.1-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/cb833bbc1b3c51e08652d3c86298307c07d3f2db

git.kernel.org/...c/26900306a5a2c3e4f75c643a064525526bb6e5f3

git.kernel.org/...c/0694618cf3e9b120666e31f5f383a6e466d95a0d

git.kernel.org/...c/8def8fbd23f40e945febe913d04b731012ce0082

git.kernel.org/...c/c55940895245d8ef658ab381248a28755218d625

git.kernel.org/...c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f

git.kernel.org/...c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366

git.kernel.org/...c/2195574dc6d9017d32ac346987e12659f931d932

cve.org (CVE-2026-45841)

nvd.nist.gov (CVE-2026-45841)

Download JSON