Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: guard option walkers against 1-byte tail reads

When the last byte of options is a non-single-byte option kind, walkers
that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end
of the option area.

Add an explicit i == optlen - 1 check before dereferencing op[i + 1]
in xt_tcpudp and xt_dccp option walkers.
Published: 2026-05-08
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in the netfilter x_tables option walkers used for TCP, UDP, and DCCP packets. Walkers that increment the option index with i += op[i + 1] ?: 1 can read the following byte (op[i + 1]) even when the current byte is the last in the option area, allowing a one‑byte out‑of‑bounds read. This can expose kernel memory contents or trigger a kernel crash due to a corrupted packet structure. The primary consequence is information disclosure and potential denial of service; based on the description, the flaw is exposed through crafted packets containing these options.

Affected Systems

All Linux kernel systems that include the netfilter x_tables modules prior to the patch. No specific version range is listed, so the vulnerability applies to all kernels until the commits referenced in the advisory are applied.

Risk and Exploitability

The likely attack surface is network traffic, where an attacker can send crafted packets containing non‑single‑byte option kinds to a vulnerable host. The CVSS score of 8.2 indicates a high severity. The EPSS score is less than 1%, indicating a very low exploitation probability. The flaw is not listed in CISA KEV, and no public exploits are known. Nonetheless, the low EPSS should not give false reassurance; the vulnerability can lead to kernel memory exposure or a crash.

Generated by OpenCVE AI on May 21, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the commits referenced in the advisory (e.g., the latest stable release that includes the netfilter x_tables patch).
  • Rebuild or reload the x_tables modules if they are built as separate modules to ensure they incorporate the fix.
  • As a temporary measure, restrict traffic that includes unusual IP or TCP options by configuring firewall rules or disabling IP option parsing on the host.

Generated by OpenCVE AI on May 21, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Thu, 21 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Sat, 09 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers.
Title netfilter: x_tables: guard option walkers against 1-byte tail reads
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:24:51.810Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43452

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:57.900

Modified: 2026-05-21T16:54:50.030

Link: CVE-2026-43452

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43452 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T19:45:17Z

Weaknesses