CVE-2026-46101 - Vulnerability Details

- netfilter: reject zero shift in nft_bitwise

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: reject zero shift in nft_bitwise

Reject zero shift operands for nft_bitwise left and right shift
expressions during initialization.

The carry propagation logic computes the carry from the adjacent 32-bit
word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this
into a 32-bit shift, which is undefined behaviour.

Reject zero shift operands in the control plane, alongside the existing
check for values greater than or equal to 32, so malformed rules never
reach the packet path.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Linux kernel's nftables module. During packet filtering rule initialization the library accepts shift operators with a zero shift value. The kernel then performs a 32-bit shift operation to propagate carry bits, which is undefined behaviour and can corrupt the kernel's internal state. Maliciously crafted nftables rules that use a zero shift can trigger a kernel crash or denial-of-service condition, potentially affecting the entire operating system. The weakness is an input validation failure (CWE-20) and a failure to guard against undefined behavior (CWE-1335) in the control plane of the nft_bitwise expression.

Affected Systems

All Linux kernels that implement the nft_bitwise expression without the new zero‑shift check are affected. The vulnerability is not limited to a single vendor; it applies to every distribution that ships the affected kernel code. The precise kernel version that was patched is not specified in the advisory.

Risk and Exploitability

No EPSS score is available and the vulnerability is not listed in CISA KEV, so public exploitation data is currently unknown. The CVSS score of 5.5 indicates moderate severity, reflecting a kernel‑level undefined behavior that can lead to a crash. The attack vector is inferred to be remote in that a malicious user can supply a crafted nftables rule, which is plausible for both local administrators and attackers with sufficient privileges to modify firewall rules. Because the bug is confined to the control plane and must be triggered during rule compilation, it is not a low‑effort remote code execution flaw, but a denial of service that can be triggered by poorly validated rules.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`567d746b55bc66d3800c9ae91d50f0c5deb2fd93`	affected	< 9baa08d6b6b096fad70049533f0d705d85fdc979
`567d746b55bc66d3800c9ae91d50f0c5deb2fd93`	affected	< 4fccea585631621c975883911a08d15b6671f7dc
`567d746b55bc66d3800c9ae91d50f0c5deb2fd93`	affected	< 9ad26c272405f53834871cc2e46b9b5393a666c3
`567d746b55bc66d3800c9ae91d50f0c5deb2fd93`	affected	< bffef0acec9c3b837a785248a893137fb7f26c95
`567d746b55bc66d3800c9ae91d50f0c5deb2fd93`	affected	< ca24f1243ad1a4d12d6a23876bbbe3ed02099853
`567d746b55bc66d3800c9ae91d50f0c5deb2fd93`	affected	< 6f820139d16a4c9865a145d4a9cf9c92cc632c14
`567d746b55bc66d3800c9ae91d50f0c5deb2fd93`	affected	< f370205974f171a5868c13ff30d7642fed46e47b
`567d746b55bc66d3800c9ae91d50f0c5deb2fd93`	affected	< fe11e5c40817b84abaa5d83bfb6586d8412bfd07

Linux

affected

Version	Status	Constraints
`5.6`	affected	—
`0`	unaffected	< 5.6
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[567d746b55bc66d3800c9ae91d50f0c5deb2fd93,bffef0acec9c3b837a785248a893137fb7f26c95)`	affected	code_commit	—
`[567d746b55bc66d3800c9ae91d50f0c5deb2fd93,ca24f1243ad1a4d12d6a23876bbbe3ed02099853)`	affected	code_commit	—
`[567d746b55bc66d3800c9ae91d50f0c5deb2fd93,6f820139d16a4c9865a145d4a9cf9c92cc632c14)`	affected	code_commit	—
`[567d746b55bc66d3800c9ae91d50f0c5deb2fd93,f370205974f171a5868c13ff30d7642fed46e47b)`	affected	code_commit	—
`[567d746b55bc66d3800c9ae91d50f0c5deb2fd93,fe11e5c40817b84abaa5d83bfb6586d8412bfd07)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.6`	affected	generic	—
`[0,5.6)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc2,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that contains the fix for the nft_bitwise zero‑shift check.
Verify that nftables rules do not use zero‑shift operands; using nft -c or other validation tools can catch them before they are applied.
For operating systems that cannot be immediately updated, monitor the kernel logs for panic messages caused by nft_bitwise processing and consider temporarily disabling nft_bitwise functionality if it is not required.

Generated by OpenCVE AI on May 28, 2026 at 02:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00176.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4fccea585631621c975883911a08d15b6671f7dc
https://git.kernel.org/stable/c/6f820139d16a4c9865a145d4a9cf9c92cc632c14
https://git.kernel.org/stable/c/9ad26c272405f53834871cc2e46b9b5393a666c3
https://git.kernel.org/stable/c/9baa08d6b6b096fad70049533f0d705d85fdc979
https://git.kernel.org/stable/c/bffef0acec9c3b837a785248a893137fb7f26c95
https://git.kernel.org/stable/c/ca24f1243ad1a4d12d6a23876bbbe3ed02099853
https://git.kernel.org/stable/c/f370205974f171a5868c13ff30d7642fed46e47b
https://git.kernel.org/stable/c/fe11e5c40817b84abaa5d83bfb6586d8412bfd07
https://lore.kernel.org/linux-cve-announce/2026052705-CVE-2026-46101-3102@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46101
https://www.cve.org/CVERecord?id=CVE-2026-46101

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/4fccea585631621c975883911a08d15b6671f7dc https://git.kernel.org/stable/c/9ad26c272405f53834871cc2e46b9b5393a666c3 https://git.kernel.org/stable/c/9baa08d6b6b096fad70049533f0d705d85fdc979

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1335
References		https://lore.kernel.org/linux-cve-announce/2026052705-CVE-2026-46101-3102@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46101 https://www.cve.org/CVERecord?id=CVE-2026-46101
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: reject zero shift in nft_bitwise Reject zero shift operands for nft_bitwise left and right shift expressions during initialization. The carry propagation logic computes the carry from the adjacent 32-bit word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this into a 32-bit shift, which is undefined behaviour. Reject zero shift operands in the control plane, alongside the existing check for values greater than or equal to 32, so malformed rules never reach the packet path.
Title		netfilter: reject zero shift in nft_bitwise
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6f820139d16a4c9865a145d4a9cf9c92cc632c14 https://git.kernel.org/stable/c/bffef0acec9c3b837a785248a893137fb7f26c95 https://git.kernel.org/stable/c/ca24f1243ad1a4d12d6a23876bbbe3ed02099853 https://git.kernel.org/stable/c/f370205974f171a5868c13ff30d7642fed46e47b https://git.kernel.org/stable/c/fe11e5c40817b84abaa5d83bfb6586d8412bfd07

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:59:08.220Z

Updated: 2026-06-14T17:54:30.068Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46101

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:32.147

Modified: 2026-06-01T17:17:23.950

Link: CVE-2026-46101

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46101 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T04:00:07Z

Weaknesses

CWE-1335
Incorrect Bitwise Shift of Integer
CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object