CVE-2026-46244
Description
Linux kernel netfilter vulnerability allows transport header forgery and firewall bypass by desynchronizing IPv6 header offsets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel netfilter vulnerability allows transport header forgery and firewall bypass by desynchronizing IPv6 header offsets.
Vulnerability
In the Linux kernel's netfilter subsystem, specifically within the nft_inner_parse_l2l3() function, a desynchronization occurs when processing inner IPv6 packets. The ipv6_find_hdr() function correctly calculates the transport header offset, but this result is immediately overwritten with an incorrect value based only on the IPv6 base header size. This affects stable versions from Linux 6.2.
Exploitation
An attacker can exploit this vulnerability by crafting specially malformed IPv6 packets that contain inner IPv6 packets with extension headers. By sending these packets through a system running an affected Linux kernel version, the desynchronization between the calculated transport header offset and the actual layer 4 protocol can be triggered, enabling the forgery.
Impact
Successful exploitation allows an attacker to perform transport header forgery, which can lead to potential firewall bypass. This means that network traffic that should be inspected or blocked by firewall rules might be misrepresented, allowing malicious or unintended traffic to pass through.
Mitigation
This vulnerability has been resolved by removing the incorrect overwrite in the nft_inner_parse_l2l3() function, ensuring that the correct transport header offset calculated by ipv6_find_hdr() is preserved. Users should update to a patched version of the Linux kernel. The specific fixed version is referenced in [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10b6a91f68ebfenetfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index 03ffb1159fc18..859aa38e333b8 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
c161ad9157f5netfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index 817ab978d24a1..5e6a1d3702b1b 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -156,7 +156,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
870d59e2cf21netfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index 817ab978d24a1..5e6a1d3702b1b 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -156,7 +156,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
689bbf48c1f4netfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index c4569d4b92285..1b3e7a976f560 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
d0f98a3617f6netfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index c4569d4b92285..1b3e7a976f560 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
689bbf48c1f4netfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index c4569d4b92285..1b3e7a976f560 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
870d59e2cf21netfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index 817ab978d24a1..5e6a1d3702b1b 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -156,7 +156,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
b6a91f68ebfenetfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index 03ffb1159fc18..859aa38e333b8 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
c161ad9157f5netfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index 817ab978d24a1..5e6a1d3702b1b 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -156,7 +156,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
d0f98a3617f6netfilter: nft_inner: Fix IPv6 inner_thoff desync
1 file changed · +0 −2
net/netfilter/nft_inner.c+0 −2 modifieddiff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index c4569d4b92285..1b3e7a976f560 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto; -- cgit 1.3-korg
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- git.kernel.org/stable/c/689bbf48c1f45130086ae1c46ab83ea4c753c601nvd
- git.kernel.org/stable/c/870d59e2cf218e7418491e26bad768cb16654582nvd
- git.kernel.org/stable/c/b6a91f68ebfed9c38e0e9150f58a9b85da07181cnvd
- git.kernel.org/stable/c/c161ad9157f5a0429b5ff94d9770faf3bf48d273nvd
- git.kernel.org/stable/c/d0f98a3617f6ae5b1e95cde1e68e7ead4a1279cenvd
News mentions
0No linked articles in our index yet.