Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_tcpmss: check remaining length before reading optlen

Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.

If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).
Published: 2026-05-06
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the netfilter xt_tcpmss module that parses TCP options in the Linux kernel. When the TCP option’s last byte is not an end‑of‑list or NOP marker, the parser reads the next byte without checking that the remaining length is sufficient. This can cause reads past the end of the option buffer, exposing contents of the kernel stack or subsequent payload data. The weakness follows CWE‑125 and CWE‑130 and may lead to kernel memory disclosure or a denial‑of‑service via a crash.

Affected Systems

All systems running a Linux kernel that includes the xt_tcpmss netfilter module are potentially affected, including the default distribution kernels. No specific version range is listed in the CNA data, so any unpatched kernel is at risk until the patch is applied.

Risk and Exploitability

The EPSS score is reported as less than 1% (approximately 0.00052), and the vulnerability is not in the CISA KEV catalog. The CVSS score is 8.2. Based on the description, it is inferred that an attacker can trigger the vulnerability by sending crafted TCP packets to the target system. Since it results in a memory read beyond the kernel buffer, the risk is considered high, especially for systems exposed to untrusted networks. The weakness is rooted in CWE‑125 and CWE‑130, indicating an unsafe assumption and an out‑of‑bounds read. No public exploits were reported at the time of this analysis, but the severity of a kernel memory leak warrants prompt action.

Generated by OpenCVE AI on May 11, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the patch for the xt_tcpmss out‑of‑bounds read bug.
  • Apply any vendor‑supplied backport or patch for the specific kernel release you are using.
  • As a temporary measure, filter or drop TCP packets that contain malformed TCP options, or disable the xt_tcpmss target if it is not required for your network traffic.

Generated by OpenCVE AI on May 11, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Mon, 11 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc6:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Thu, 07 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).
Title netfilter: xt_tcpmss: check remaining length before reading optlen
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:19:35.257Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43190

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:37.843

Modified: 2026-05-11T20:50:14.027

Link: CVE-2026-43190

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43190 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses