VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-46101

CVE-2026-46101

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: reject zero shift in nft_bitwise

Reject zero shift operands for nft_bitwise left and right shift expressions during initialization.

The carry propagation logic computes the carry from the adjacent 32-bit word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this into a 32-bit shift, which is undefined behaviour.

Reject zero shift operands in the control plane, alongside the existing check for values greater than or equal to 32, so malformed rules never reach the packet path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A zero shift operand in netfilter's nft_bitwise expression causes undefined behavior in the Linux kernel, allowing local privilege escalation or denial of service.

Vulnerability

In the Linux kernel's netfilter subsystem, the nft_bitwise expression allows left and right shift operations. A zero shift operand was accepted during rule addition, but the carry propagation logic computes BITS_PER_TYPE(u32) - shift, which becomes a 32-bit shift when shift is 0, causing undefined behavior. This vulnerability affects kernel versions where the nft_bitwise expression is present; the patch is applied in stable kernels as commits [1][2][3].

Exploitation

An attacker with the ability to add netfilter rules (typically requiring root privileges or CAP_NET_ADMIN) can craft a rule using a bitwise shift with a zero operand. This triggers undefined behavior during packet processing when the rule is evaluated, potentially leading to a kernel crash or memory corruption.

Impact

Successful exploitation results in undefined behavior in the kernel, which may cause a denial of service (system crash) or potentially allow an attacker to corrupt kernel memory, leading to privilege escalation or information disclosure. The exact impact depends on compiler optimizations and memory layout.

Mitigation

The fix rejects zero shift operands during rule initialization, preventing malformed rules from reaching the packet path. The patch is applied in the Linux kernel stable tree; commits [1][2][3] address the issue. Users should update to a kernel version containing the fix or apply the patch manually.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
ca24f1243ad1

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKai MaApr 22, 2026Fixed in 6.12.86via kernel-cna
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index 7de95674fd8c44..2cfb0104680c62 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -149,7 +149,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg
f370205974f1

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKai MaApr 22, 2026Fixed in 7.0.4via kernel-cna
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index d550910aabec9b..af990c600745be 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -196,7 +196,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg
bffef0acec9c

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKai MaApr 22, 2026Fixed in 6.6.140via kernel-cna
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index 7de95674fd8c44..2cfb0104680c62 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -149,7 +149,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg
6f820139d16a

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKai MaApr 22, 2026Fixed in 6.18.27via kernel-cna
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index d550910aabec9b..af990c600745be 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -196,7 +196,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg
fe11e5c40817

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKai MaApr 22, 2026Fixed in 7.1-rc2via kernel-cna
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index 13808e9cd99933..94dccdcfa06bba 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -196,7 +196,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg
6f820139d16a

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKai MaApr 22, 2026via nvd-ref
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index d550910aabec9b..af990c600745be 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -196,7 +196,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg
ca24f1243ad1

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKai MaApr 22, 2026via nvd-ref
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index 7de95674fd8c44..2cfb0104680c62 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -149,7 +149,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg
fe11e5c40817

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKai MaApr 22, 2026via nvd-ref
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index 13808e9cd99933..94dccdcfa06bba 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -196,7 +196,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg
bffef0acec9c

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKai MaApr 22, 2026via nvd-ref
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index 7de95674fd8c44..2cfb0104680c62 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -149,7 +149,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg
f370205974f1

netfilter: reject zero shift in nft_bitwise

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKai MaApr 22, 2026via nvd-ref
commit
1 file changed · +2 2
  • net/netfilter/nft_bitwise.c+2 2 modified
    diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index d550910aabec9b..af990c600745be 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -196,7 +196,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
 	if (err < 0)
 		return err;
 
-	if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+	if (!priv->data.data[0] ||
+	    priv->data.data[0] >= BITS_PER_TYPE(u32)) {
 		nft_data_release(&priv->data, desc.type);
 		return -EINVAL;
 	}
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing validation for zero shift operand in nft_bitwise shift expressions causes undefined behavior in carry propagation logic."

Attack vector

An attacker with the ability to insert netfilter rules (typically requiring `CAP_NET_ADMIN`) can craft an nftables rule that uses a left or right shift expression (`nft_bitwise`) with a shift operand of zero. The carry propagation logic computes `BITS_PER_TYPE(u32) - shift`, which with a zero shift becomes a 32-bit shift — undefined behavior in C. This malformed rule, if loaded, triggers undefined behavior in the kernel packet path, potentially leading to a crash or information disclosure.

Affected code

The vulnerability resides in the `nft_bitwise_init_shift` function in `net/netfilter/nft_bitwise.c` [patch_id=2659698]. The function validates shift operands but previously only rejected values greater than or equal to `BITS_PER_TYPE(u32)` (32), missing the zero-shift case.

What the fix does

The patch adds a check for `!priv->data.data[0]` (i.e., shift operand is zero) alongside the existing check for values >= 32 in `nft_bitwise_init_shift` [patch_id=2659698]. If the shift operand is zero, the function now returns `-EINVAL` and releases the nft data, preventing the malformed rule from being accepted into the kernel's rule set. This ensures undefined behavior from a zero shift never reaches the packet processing path.

Preconditions

  • authAttacker must have CAP_NET_ADMIN capability to insert nftables rules
  • inputAttacker must be able to load a netfilter rule with a bitwise shift expression

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.