Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_tcpmss: check remaining length before reading optlen

Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.

If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the netfilter xt_tcpmss module that parses TCP options in the Linux kernel. When the TCP option’s last byte is not an end‑of‑list or NOP marker, the parser reads the next byte without checking that the remaining length is sufficient. This can cause reads past the end of the option buffer, exposing contents of the kernel stack or subsequent payload data. The weakness follows CWE‑125: Out‑of‑bounds Read and may lead to kernel memory disclosure or a denial‑of‑service via a crash.

Affected Systems

All systems running a Linux kernel that includes the xt_tcpmss netfilter module are potentially affected, including the default distribution kernels. No specific version range is listed in the CNA data, so any unpatched kernel is at risk until the patch is applied.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not in the CISA KEV catalog. The vulnerability can be triggered by an attacker who can send crafted TCP packets to the target system. Since it results in a memory read beyond the kernel buffer, the risk is considered high, especially for systems exposed to untrusted networks. No public exploits were reported at the time of this analysis, but the severity of a kernel memory leak warrants prompt action.

Generated by OpenCVE AI on May 6, 2026 at 14:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the patch for the xt_tcpmss out‑of‑bounds read bug.
  • Apply any vendor‑supplied backport or patch for the specific kernel release you are using.
  • As a temporary measure, filter or drop TCP packets that contain malformed TCP options, or disable the xt_tcpmss target if it is not required for your network traffic.

Generated by OpenCVE AI on May 6, 2026 at 14:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).
Title netfilter: xt_tcpmss: check remaining length before reading optlen
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:59.798Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43190

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:37.843

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:45:07Z

Weaknesses