Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO

nf_osf_match_one() computes ctx->window % f->wss.val in the
OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
subsequent matching TCP SYN divides by zero and panics the kernel.

Reject the bogus fingerprint in nfnl_osf_add_callback() above the
per-option for-loop. f->wss is per-fingerprint, not per-option, so
the check must run regardless of f->opt_num (including 0). Also
reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
as "should not happen".

Crash:
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
<IRQ>
nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
nf_hook_slow (net/netfilter/core.c:622)
ip_local_deliver (net/ipv4/ip_input.c:265)
ip_rcv (include/linux/skbuff.h:1162)
__netif_receive_skb_one_core (net/core/dev.c:6181)
process_backlog (net/core/dev.c:6642)
__napi_poll (net/core/dev.c:7710)
net_rx_action (net/core/dev.c:7945)
handle_softirqs (kernel/softirq.c:622)
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A divide‑by‑zero error in the nfnetlink_osf module occurs when nf_osf_match_one() calculates ctx->window % f->wss.val without first verifying that f->wss.val is non‑zero. A user with CAP_NET_ADMIN can add a fingerprint that causes this calculation and triggers a kernel panic on the next matching TCP SYN. This results in a system‑wide denial of service. The weakness is a classic divide‑by‑zero error leading to unintended crash.

Affected Systems

All Linux kernel builds that include the nfnetlink_osf implementation and have not yet incorporated the patch introducing a guard against zero‑modulus values. The affected code lives in net/netfilter/nfnetlink_osf.c and is part of the core kernel, so any distribution kernel containing that source file is susceptible.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity, but the vulnerability still leads to a kernel crash, which is a serious denial of service. The EPSS score of less than 1% indicates a very low probability of exploitation and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires CAP_NET_ADMIN, which is typically only present for privileged users or services. Therefore the risk is high for systems where local or remote privilege escalation is possible, and moderate otherwise. A patch is the most effective mitigation.

Generated by OpenCVE AI on May 28, 2026 at 04:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit fixing the divide‑by‑zero check (e.g., any release after the linked patch commit).
  • If the kernel cannot be upgraded immediately, restrict the CAP_NET_ADMIN capability for processes that interact with nfnetlink or disable nfnetlink_osf functionality entirely to prevent the addition of malicious fingerprints.
  • As a temporary workaround, manually ensure that any fingerprints added via nfnetlink have a non‑zero wss.val and that wss.wc is less than OSF_WSS_MAX, though this still relies on correct input validation by administrators.

Generated by OpenCVE AI on May 28, 2026 at 04:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-369

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel. Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as "should not happen". Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: <IRQ> nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622)
Title netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:46:14.099Z

Reserved: 2026-05-13T15:03:33.078Z

Link: CVE-2026-45841

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T11:16:23.493

Modified: 2026-06-01T17:17:14.157

Link: CVE-2026-45841

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45841 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses