Impact
In the Linux kernel’s netfilter subsystem, the xt_policy module handles inbound strict mode policy matching. A defect in match_policy_in() caused the function to traverse the list of policy rules in reverse order, so rules were evaluated against the wrong segments of the rule set. This mis‑ordering can allow unwanted traffic to pass or properly allowed traffic to be blocked, undermining the firewall’s intended security posture. The weakness is classified as CWE‑551, which represents improper control flow handling.
Affected Systems
The flaw is present in any Linux kernel that builds the xt_policy module without the patch that changes the traversal order. All kernel releases before the specific commits referenced are affected; this includes many mainstream distributions that ship older kernel versions or custom kernels that include the module. Systems that load xt_policy and employ strict mode inbound filtering are at risk.
Risk and Exploitability
The CVSS score of 8.3 indicates high severity, while the EPSS score of less than 1 % shows a very low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to send crafted inbound traffic that activates the reversed evaluation path, potentially bypassing firewall rules or causing denial of service by incorrectly dropping legitimate packets.
OpenCVE Enrichment
Debian DLA