Description
In the Linux kernel, the following vulnerability has been resolved:

nfnetlink_osf: validate individual option lengths in fingerprints

nfnl_osf_add_callback() validates opt_num bounds and string
NUL-termination but does not check individual option length fields.
A zero-length option causes nf_osf_match_one() to enter the option
matching loop even when foptsize sums to zero, which matches packets
with no TCP options where ctx->optp is NULL:

Oops: general protection fault
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
nf_hook_slow (net/netfilter/core.c:623)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)

Additionally, an MSS option (kind=2) with length < 4 causes
out-of-bounds reads when nf_osf_match_one() unconditionally accesses
optp[2] and optp[3] for MSS value extraction. While RFC 9293
section 3.2 specifies that the MSS option is always exactly 4
bytes (Kind=2, Length=4), the check uses "< 4" rather than
"!= 4" because lengths greater than 4 do not cause memory
safety issues -- the buffer is guaranteed to be at least
foptsize bytes by the ctx->optsize == foptsize check.

Reject fingerprints where any option has zero length, or where an MSS
option has length less than 4, at add time rather than trusting these
values in the packet matching hot path.
Published: 2026-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

In the Linux kernel, the nfnetlink_osf fingerprinting subsystem fails to validate the length of individual TCP option entries. A zero‑length option or an MSS option shorter than four bytes bypasses the expected checks, causing nf_osf_match_one to dereference a null or out‑of‑bounds pointer during packet matching. This leads to a kernel general protection fault and a KASAN null‑ptr dereference, resulting in a system crash. The bug does not provide direct code execution or privilege escalation, but the crash can be triggered remotely by sending crafted packets, resulting in denial of service for the affected host.

Affected Systems

Any Linux system running a kernel that includes the nfnetlink_osf driver but lacks the patch is affected. The affected products are Linux kernel releases compiled with nfnetlink_osf enabled. The list of affected kernel versions is not explicitly provided, so any kernel prior to the fix should be considered vulnerable.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity. The EPSS score is below 1 %, showing a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to send specially crafted packets to a host that processes nfnetlink_osf fingerprints, which is typically part of the netfilter packet filtering subsystem. While the immediate impact is a denial of service, there is no evidence of arbitrary code execution or privilege escalation.

Generated by OpenCVE AI on April 28, 2026 at 09:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the nfnetlink_osf validation patch.
  • Reboot the system to ensure the patched kernel is active.
  • Monitor kernel logs for nf_osf_match_one crashes and verify the patch's effectiveness.

Generated by OpenCVE AI on April 28, 2026 at 09:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:2.6.31:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20
CWE-476

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20
CWE-476

Thu, 26 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check. Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.
Title nfnetlink_osf: validate individual option lengths in fingerprints
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:32.483Z

Reserved: 2026-01-13T15:37:46.011Z

Link: CVE-2026-23397

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T11:16:19.720

Modified: 2026-04-24T15:18:09.790

Link: CVE-2026-23397

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T10:22:49Z

Links: CVE-2026-23397 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:15:09Z

Weaknesses