CVE-2026-23397
Description
In the Linux kernel, the following vulnerability has been resolved:
nfnetlink_osf: validate individual option lengths in fingerprints
nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL:
Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573)
Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check.
Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, nfnetlink_osf lacks validation of individual TCP option lengths, leading to NULL pointer dereference and out-of-bounds reads.
Description
In the Linux kernel's nfnetlink_osf module, the function nfnl_osf_add_callback() validates the number of options (opt_num) and ensures NUL-termination of strings, but fails to check the length field of each individual TCP option within a fingerprint. This allows a crafted fingerprint containing a zero-length option to be added. During packet matching, nf_osf_match_one() enters the option matching loop even when the total option size (foptsize) is zero, leading to a NULL pointer dereference when ctx->optp is NULL, causing a kernel crash. Additionally, an MSS option (kind=2) with length less than 4 triggers an out-of-bounds read when accessing optp[2] and optp[3] for MSS value extraction.
Exploitation
Exploitation requires the ability to send netlink messages to add fingerprints, typically requiring CAP_NET_ADMIN privileges within a user namespace. The attacker uploads a crafted fingerprint with zero-length options or an MSS option with insufficient length. When a network packet matches this fingerprint (e.g., via iptables rules using the osf match), the kernel accesses invalid memory, leading to a general protection fault and potential system crash.
Impact
An attacker with sufficient privileges can trigger a denial-of-service (kernel panic) or potentially leak sensitive kernel memory due to out-of-bounds reads. The vulnerability can be exploited remotely if the attacker can influence packet matching, but local access to netlink is typically required.
Mitigation
The fix validates individual option lengths at fingerprint addition time, rejecting zero-length options and MSS options with length less than 4. The patches have been applied to stable kernel trees as tracked in commits [1], [2], [3], and [4]. Users should update their kernels to include these patches.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.31.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:2.6.31:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/224f4678812e1a7bc8341bcb666773a0aec5ea6fnvdPatch
- git.kernel.org/stable/c/3932620c04c2938c93c0890c225960d3d34ba355nvdPatch
- git.kernel.org/stable/c/3c11b5c2436a3a5b450612ab160e3a525b28cfb5nvdPatch
- git.kernel.org/stable/c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6nvdPatch
- git.kernel.org/stable/c/aa0574182c46963c3cdb8cde46ec93aca21100d8nvdPatch
- git.kernel.org/stable/c/dbdfaae9609629a9569362e3b8f33d0a20fd783cnvdPatch
- git.kernel.org/stable/c/e9cf17b91e733fec725ebcc0b3098bc5ccd505e0nvdPatch
- git.kernel.org/stable/c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38nvdPatch
News mentions
0No linked articles in our index yet.