Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO

nf_osf_match_one() computes ctx->window % f->wss.val in the
OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
subsequent matching TCP SYN divides by zero and panics the kernel.

Reject the bogus fingerprint in nfnl_osf_add_callback() above the
per-option for-loop. f->wss is per-fingerprint, not per-option, so
the check must run regardless of f->opt_num (including 0). Also
reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
as "should not happen".

Crash:
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
<IRQ>
nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
nf_hook_slow (net/netfilter/core.c:622)
ip_local_deliver (net/ipv4/ip_input.c:265)
ip_rcv (include/linux/skbuff.h:1162)
__netif_receive_skb_one_core (net/core/dev.c:6181)
process_backlog (net/core/dev.c:6642)
__napi_poll (net/core/dev.c:7710)
net_rx_action (net/core/dev.c:7945)
handle_softirqs (kernel/softirq.c:622)
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A divide‑by‑zero error in the nfnetlink_osf module occurs when nf_osf_match_one() calculates ctx->window % f->wss.val without first verifying that f->wss.val is non‑zero. A user with CAP_NET_ADMIN can add a fingerprint that causes this calculation and triggers a kernel panic on the next matching TCP SYN. This results in a system‑wide denial of service. The weakness is a classic divide‑by‑zero error leading to unintended crash.

Affected Systems

All Linux kernel builds that include the nfnetlink_osf implementation and have not yet incorporated the patch introducing a guard against zero‑modulus values. The affected code lives in net/netfilter/nfnetlink_osf.c and is part of the core kernel, so any distribution kernel containing that source file is susceptible.

Risk and Exploitability

The CVSS score is not provided, but the vulnerability leads to a kernel crash, making it a severe denial of service. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires CAP_NET_ADMIN, which is typically only present for privileged users or services. Therefore the risk is high for systems where local or remote privilege escalation is possible, and moderate otherwise. A patch is the most effective mitigation.

Generated by OpenCVE AI on May 27, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit fixing the divide‑by‑zero check (e.g., any release after the linked patch commit).
  • If the kernel cannot be upgraded immediately, restrict the CAP_NET_ADMIN capability for processes that interact with nfnetlink or disable nfnetlink_osf functionality entirely to prevent the addition of malicious fingerprints.
  • As a temporary workaround, manually ensure that any fingerprints added via nfnetlink have a non‑zero wss.val and that wss.wc is less than OSF_WSS_MAX, though this still relies on correct input validation by administrators.

Generated by OpenCVE AI on May 27, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-369

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel. Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as "should not happen". Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: <IRQ> nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622)
Title netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T09:24:40.805Z

Reserved: 2026-05-13T15:03:33.078Z

Link: CVE-2026-45841

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:23.493

Modified: 2026-05-27T11:16:23.493

Link: CVE-2026-45841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:45:15Z

Weaknesses

No weakness.