Description
In the Linux kernel, the following vulnerability has been resolved:

nfnetlink_osf: validate individual option lengths in fingerprints

nfnl_osf_add_callback() validates opt_num bounds and string
NUL-termination but does not check individual option length fields.
A zero-length option causes nf_osf_match_one() to enter the option
matching loop even when foptsize sums to zero, which matches packets
with no TCP options where ctx->optp is NULL:

Oops: general protection fault
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
nf_hook_slow (net/netfilter/core.c:623)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)

Additionally, an MSS option (kind=2) with length < 4 causes
out-of-bounds reads when nf_osf_match_one() unconditionally accesses
optp[2] and optp[3] for MSS value extraction. While RFC 9293
section 3.2 specifies that the MSS option is always exactly 4
bytes (Kind=2, Length=4), the check uses "< 4" rather than
"!= 4" because lengths greater than 4 do not cause memory
safety issues -- the buffer is guaranteed to be at least
foptsize bytes by the ctx->optsize == foptsize check.

Reject fingerprints where any option has zero length, or where an MSS
option has length less than 4, at add time rather than trusting these
values in the packet matching hot path.
Published: 2026-03-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Crash
Action: Patch
AI Analysis

Impact

In the Linux kernel, the nfnetlink_osf filtering code allows a zero‑length TCP option or an MSS option shorter than four bytes to bypass bounds checking. This omission enables an attacker to craft a packet that causes an out‑of‑bounds read and a null‑pointer dereference in nf_osf_match_one, resulting in a general protection fault and a kernel panic. The crash propagates through the netfilter stack, leading to a system‑wide denial of service. The underlying weakness is in inadequate input validation (CWE‑119, CWE‑20, CWE‑476).

Affected Systems

This vulnerability affects any system running the Linux kernel that includes the nfnetlink_osf component before the accompanying patch. The vendor is Linux (Kernel), and no specific affected version range is supplied in the data. Therefore, any kernel release that has not applied the patch is vulnerable.

Risk and Exploitability

The CVSS score is not provided, but the EPSS probability is less than 1 % and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Nevertheless, an attacker can remotely trigger the fault by sending crafted TCP packets with malformed options to a reachable host, making this a network‑based denial‑of‑service risk. It does not require privileged local access, so the attack path is plausible in typical environments. The attack vector is inferred from the fact that malformed packets are processed in the networking stack.

Generated by OpenCVE AI on March 26, 2026 at 16:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a Linux kernel update that includes the nfnetlink_osf validation patch
  • Reboot the system to activate the updated kernel

Generated by OpenCVE AI on March 26, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20
CWE-476

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20
CWE-476

Thu, 26 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check. Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.
Title nfnetlink_osf: validate individual option lengths in fingerprints
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-03-26T10:22:49.954Z

Reserved: 2026-01-13T15:37:46.011Z

Link: CVE-2026-23397

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T11:16:19.720

Modified: 2026-03-26T11:16:19.720

Link: CVE-2026-23397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:49Z

Weaknesses

No weakness.