Impact
The Linux kernel’s netfilter ipset module for the hash variants hash:ip,mark; hash:ip,port; hash:ip,port,ip; and hash:ip,port,net contains an off‑by‑one error in the IPv4 range iterator. When the iterator processes the last address in a specified range, it can advance one step beyond the upper bound. The resulting traversal state may place subsequent operations at an unintended offset, potentially leading to incorrect packet handling or unexpected behavior in the filtering logic. The flaw aligns with CWE‑193 weaknesses.
Affected Systems
Any Linux kernel installation that loads the ipset modules and utilizes one of the four hash variants described above is potentially affected. The CVE specification does not list an explicit version range, which implies that all kernel releases prior to the delivery of the bug‑fix patch that incorporates the iterator logic change are vulnerable.
Risk and Exploitability
The CVSS score of 5.5 indicates a moderate severity assessment. The EPSS score of < 1% indicates a very low exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation activity. Because the flaw resides in kernel networking code, an attacker would need the ability to create or modify ipset entries—typically requiring root or a privilege escalation vector—to trigger the bug. When exercised, the bug may cause packet filtering to operate incorrectly, but no documented remote attack path has been disclosed.
OpenCVE Enrichment
Debian DLA