Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_inner: Fix IPv6 inner_thoff desync

In nft_inner_parse_l2l3(), when processing inner IPv6 packets,
ipv6_find_hdr() correctly computes the transport header offset
traversing all extension headers, but the result is immediately
overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only
accounts for the IPv6 base header. This creates a desync between
inner_thoff (wrong — points to extension header start) and l4proto
(correct — e.g., IPPROTO_TCP), enabling transport header forgery
and potential firewall bypass. This issue affects stable versions
from Linux 6.2.

For comparison, the normal (non-inner) IPv6 path correctly
preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite
ensures that ipv6_find_hdr()'s calculated transport header offset is
preserved, thereby fixing the desynchronization.
Published: 2026-06-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, nft_inner_parse_l2l3() incorrectly overwrites the transport header offset for inner IPv6 packets, causing a desynchronization between the actual header location and the protocol identifier. This flaw can be abused to forge transport-layer headers and evade firewall rules, allowing malicious traffic to be accepted as legitimate. The vulnerability does not directly reveal data but permits an attacker to subvert packet filtering. This flaw corresponds to CWE‑823.

Affected Systems

All stable Linux kernel releases from version 6.2 onward are affected, as the issue resides in the core netfilter module. No specific vendor patches are listed beyond the kernel update requirement.

Risk and Exploitability

Based on the supplied metrics, the flaw scores a CVSS of 9.1, indicating a high severity. The EPSS score is < 1%, portraying a very low likelihood of exploitation, and the vulnerability is absent from the CISA KEV catalog. The CVE description notes that the desynchronization between inner_thoff and l4proto can lead to transport header forgery and firewall bypass, but the exact attack vector—such as whether an attacker needs direct network access or can exploit the issue from a remote source—is not explicitly described in the official data. Consequently, while the potential impact includes bypassing firewall rules, the specific exploitation technique remains unspecified.

Generated by OpenCVE AI on June 10, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a patched release that includes the corrected nft_inner implementation (6.2.1 or later).
  • Re‑apply or verify firewall rules after the kernel upgrade to ensure they operate on the correct transport header offsets.
  • Consult your distribution’s security advisories for any backported patches and apply them promptly.

Generated by OpenCVE AI on June 10, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6355-1 linux security update
History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 04 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 04 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-823
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 03 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.
Title netfilter: nft_inner: Fix IPv6 inner_thoff desync
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:05:25.011Z

Reserved: 2026-05-13T15:03:33.107Z

Link: CVE-2026-46244

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T18:16:24.430

Modified: 2026-06-09T20:35:56.863

Link: CVE-2026-46244

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46244 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:15:17Z

Weaknesses