CVE-2004-0626

Vulnerability

The vulnerability resides in the tcp_find_option() function in the netfilter subsystem (net/ipv4/netfilter/ip_tables.c) of Linux kernel 2.6.x. It is exploitable only when iptables rules using the --tcp-option match are active. The function iterates over TCP options stored in a local char array; if the length field of a TCP option exceeds 127, the implicit cast to signed char produces a negative value, causing the loop counter to move backwards and potentially resulting in an infinite loop. All 2.6.x kernels are affected on i386 and likely other architectures [1][3].

Exploitation

An attacker needs no authentication or local access; the attack is entirely remote. By sending a single crafted TCP packet with a header length byte larger than 127 and a suitable option length field, the kernel enters an infinite loop. The packet must be processed by a netfilter rule that examines TCP options. No user interaction is required beyond the packet reaching the target [1][3].

Impact

Successful exploitation causes the kernel to consume 100% CPU resources, rendering the system unresponsive. This is a denial of service (DoS) with complete loss of availability. No confidentiality or integrity impact is reported; the attack does not provide elevated privileges or code execution [1][3].

Mitigation

Patched kernels were released by vendors shortly after disclosure. Users should upgrade to a fixed kernel version (e.g., 2.6.7 or later for mainline, or consult distributions like SUSE and Gentoo for specific advisories [2][3]). Workarounds include removing any iptables rules using --tcp-option or unloading the netfilter module if not required. The vulnerability is not in the CISA Known Exploited Vulnerabilities (KEV) catalog [2][3].