Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_policy: fix strict mode inbound policy matching

match_policy_in() walks sec_path entries from the last transform to the
first one, but strict policy matching needs to consume info->pol[] in
the same forward order as the rule layout.

Derive the strict-match policy position from the number of transforms
already consumed so that multi-element inbound rules are matched
consistently.
Published: 2026-06-24
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s netfilter subsystem, the xt_policy module handles inbound strict mode policy matching. A defect in match_policy_in() caused the function to traverse the list of policy rules in reverse order, so rules were evaluated against the wrong segments of the rule set. This mis‑ordering can allow unwanted traffic to pass or properly allowed traffic to be blocked, undermining the firewall’s intended security posture. The weakness is classified as CWE‑551, which represents improper control flow handling.

Affected Systems

The flaw is present in any Linux kernel that builds the xt_policy module without the patch that changes the traversal order. All kernel releases before the specific commits referenced are affected; this includes many mainstream distributions that ship older kernel versions or custom kernels that include the module. Systems that load xt_policy and employ strict mode inbound filtering are at risk.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, while the EPSS score of less than 1 % shows a very low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to send crafted inbound traffic that activates the reversed evaluation path, potentially bypassing firewall rules or causing denial of service by incorrectly dropping legitimate packets.

Generated by OpenCVE AI on June 28, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the xt_policy strict‑mode fix from the referenced commits.
  • If an upgrade cannot be performed immediately, unload or disable the xt_policy module and reconfigure the system to use an alternative filtering method or non‑strict inbound policies.
  • As a temporary measure, simplify or remove strict mode inbound rules so that the flawed code path is not exercised until the kernel is patched.

Generated by OpenCVE AI on June 28, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H'}


Thu, 25 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_policy: fix strict mode inbound policy matching match_policy_in() walks sec_path entries from the last transform to the first one, but strict policy matching needs to consume info->pol[] in the same forward order as the rule layout. Derive the strict-match policy position from the number of transforms already consumed so that multi-element inbound rules are matched consistently.
Title netfilter: xt_policy: fix strict mode inbound policy matching
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:42.252Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52920

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52920 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:15:05Z

Weaknesses
  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization