CVE-2026-45873 - Vulnerability Details

- netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets

Userspace provides an optimized representation in case intervals are
adjacent, where the end element is omitted.

The existing partial overlap detection logic skips anonymous set checks
on start elements for this reason.

However, it is possible to add intervals that overlap to this anonymous
where two start elements with the same, eg. A-B, A-C where C < B.

start end
A B
start end
A C

Restore the check on overlapping start elements to report an overlap.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s nft_set_rbtree component lacks protection against adding two intervals with overlapping start points to anonymous sets. This oversight, a CWE‑1288 (Partial Overlap) flaw, allows a user to insert conflicting ranges. The nftables engine may then incorrectly match or drop packets, resulting in a firewall rule bypass or a denial‑of‑service condition where legitimate traffic fails to traverse the intended paths.

Affected Systems

All Linux kernel installations that include the nft_set_rbtree implementation, up to the release that incorporates the fix. No specific kernel versions are enumerated in the advisory, so the vulnerability potentially spans the current stable kernel releases until the patch is applied.

Risk and Exploitability

Exploitation requires the ability to add custom nftables rules, which typically demands CAP_NET_ADMIN or root privileges. With a CVSS score of 5.5, the vulnerability is considered moderate, though its severity is tempered by an EPSS score of < 1%, indicating a low likelihood of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector involves a privileged user configuring nftables rules with overlapping anonymous intervals, which can lead to firewall rule bypass or unintended packet drops.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4aacf3d78424293e318c616016865380b37b9cc5`	affected	< 7ca5813e1b21ef300e04593f47b073ef3217aac6
`2bf1435fa19d2c58054391b3bba40d5510a5758c`	affected	< 029e5f6a95e905b12d6bc20421be32a01e0eb311
`318cb24a4c3fce8140afaf84e4d45fcb76fb280b`	affected	< f1381ce0a1dd013610985e1c4260908163a427df
`c9e6978e2725a7d4b6cd23b2facd3f11422c0643`	affected	< f1535d56fc3f6c625b7e0559c006bd0318791bb1
`c9e6978e2725a7d4b6cd23b2facd3f11422c0643`	affected	< 05feaf826390fd16f1deb89dd9412def3b2a280f
`c9e6978e2725a7d4b6cd23b2facd3f11422c0643`	affected	< dad14d22dff1a191612acb98facceb303d0524a2
`c9e6978e2725a7d4b6cd23b2facd3f11422c0643`	affected	< e6497e06a102870803a59570d75ed2c36d7e11b3
`c9e6978e2725a7d4b6cd23b2facd3f11422c0643`	affected	< 4780ec142cbb24b794129d3080eee5cac2943ffc
`7ab87a326f20c52ff4d9972052d085be951c704b`	affected	—
`181859bdfb9734aca449512fccaee4cacce64aed`	affected	—
`5.10.166`	affected	< 5.10.252
`5.15.91`	affected	< 5.15.202
`6.1.9`	affected	< 6.1.165
`4.19.316`	affected	< 4.20
`5.4.262`	affected	< 5.5

Linux

affected

Version	Status	Constraints
`6.2`	affected	—
`0`	unaffected	< 6.2
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4aacf3d78424293e318c616016865380b37b9cc5,7ca5813e1b21ef300e04593f47b073ef3217aac6)`	affected	code_commit	—
`[2bf1435fa19d2c58054391b3bba40d5510a5758c,029e5f6a95e905b12d6bc20421be32a01e0eb311)`	affected	code_commit	—
`[318cb24a4c3fce8140afaf84e4d45fcb76fb280b,f1381ce0a1dd013610985e1c4260908163a427df)`	affected	code_commit	—
`[c9e6978e2725a7d4b6cd23b2facd3f11422c0643,f1535d56fc3f6c625b7e0559c006bd0318791bb1)`	affected	code_commit	—
`[c9e6978e2725a7d4b6cd23b2facd3f11422c0643,05feaf826390fd16f1deb89dd9412def3b2a280f)`	affected	code_commit	—
`[c9e6978e2725a7d4b6cd23b2facd3f11422c0643,dad14d22dff1a191612acb98facceb303d0524a2)`	affected	code_commit	—
`[c9e6978e2725a7d4b6cd23b2facd3f11422c0643,e6497e06a102870803a59570d75ed2c36d7e11b3)`	affected	code_commit	—
`[c9e6978e2725a7d4b6cd23b2facd3f11422c0643,4780ec142cbb24b794129d3080eee5cac2943ffc)`	affected	code_commit	—
`7ab87a326f20c52ff4d9972052d085be951c704b`	affected	code_commit	—
`181859bdfb9734aca449512fccaee4cacce64aed`	affected	code_commit	—
`[5.10.166,5.10.252)`	affected	semver	—
`[5.15.91,5.15.202)`	affected	semver	—
`[6.1.9,6.1.165)`	affected	semver	—
`[4.19.316,4.20)`	affected	generic	—
`[5.4.262,5.5)`	affected	generic	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.2`	affected	semver	—
`[0,6.2)`	unaffected	semver	—
`[5.10.252,5.10.*]`	unaffected	generic	—
`[5.15.202,5.15.*]`	unaffected	generic	—
`[6.1.165,6.1.*]`	unaffected	generic	—
`[6.6.128,6.6.*]`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the nft_set_rbtree fix.
Restrict nftables rule configuration to users with CAP_NET_ADMIN and audit all rule changes for overlapping intervals.
Implement a validation layer or script that detects overlapping anonymous intervals in nftables rules before they are applied.

Generated by OpenCVE AI on May 28, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/029e5f6a95e905b12d6bc20421be32a01e0eb311
https://git.kernel.org/stable/c/05feaf826390fd16f1deb89dd9412def3b2a280f
https://git.kernel.org/stable/c/4780ec142cbb24b794129d3080eee5cac2943ffc
https://git.kernel.org/stable/c/7ca5813e1b21ef300e04593f47b073ef3217aac6
https://git.kernel.org/stable/c/dad14d22dff1a191612acb98facceb303d0524a2
https://git.kernel.org/stable/c/e6497e06a102870803a59570d75ed2c36d7e11b3
https://git.kernel.org/stable/c/f1381ce0a1dd013610985e1c4260908163a427df
https://git.kernel.org/stable/c/f1535d56fc3f6c625b7e0559c006bd0318791bb1
https://lore.kernel.org/linux-cve-announce/2026052713-CVE-2026-45873-40e6@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45873
https://www.cve.org/CVERecord?id=CVE-2026-45873

History

Thu, 28 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1288
References		https://lore.kernel.org/linux-cve-announce/2026052713-CVE-2026-45873-40e6@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45873 https://www.cve.org/CVERecord?id=CVE-2026-45873
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets Userspace provides an optimized representation in case intervals are adjacent, where the end element is omitted. The existing partial overlap detection logic skips anonymous set checks on start elements for this reason. However, it is possible to add intervals that overlap to this anonymous where two start elements with the same, eg. A-B, A-C where C < B. start end A B start end A C Restore the check on overlapping start elements to report an overlap.
Title		netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/029e5f6a95e905b12d6bc20421be32a01e0eb311 https://git.kernel.org/stable/c/05feaf826390fd16f1deb89dd9412def3b2a280f https://git.kernel.org/stable/c/4780ec142cbb24b794129d3080eee5cac2943ffc https://git.kernel.org/stable/c/7ca5813e1b21ef300e04593f47b073ef3217aac6 https://git.kernel.org/stable/c/dad14d22dff1a191612acb98facceb303d0524a2 https://git.kernel.org/stable/c/e6497e06a102870803a59570d75ed2c36d7e11b3 https://git.kernel.org/stable/c/f1381ce0a1dd013610985e1c4260908163a427df https://git.kernel.org/stable/c/f1535d56fc3f6c625b7e0559c006bd0318791bb1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:15:52.916Z

Updated: 2026-05-27T12:15:52.916Z

Reserved: 2026-05-13T15:03:33.081Z

Link: CVE-2026-45873

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:00.780

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45873

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45873 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T17:15:21Z

Weaknesses

CWE-1288

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object