Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: stop hash:* range iteration at end

The following hash set variants:

hash:ip,mark
hash:ip,port
hash:ip,port,ip
hash:ip,port,net

iterate IPv4 ranges with a 32-bit iterator.

The iterator must stop once the last address in the requested range has
been processed. Advancing it once more can move the traversal state past
the end of the request, so a later retry may continue from an unintended
position.

Handle the iterator increment explicitly at the end of the loop and stop
once the upper bound has been processed. This keeps the existing retry
behaviour intact for valid ranges while preventing traversal from
continuing past the original boundary.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s netfilter ipset module for the hash variants hash:ip,mark; hash:ip,port; hash:ip,port,ip; and hash:ip,port,net contains an off‑by‑one error in the IPv4 range iterator. When the iterator processes the last address in a specified range, it can advance one step beyond the upper bound. The resulting traversal state may place subsequent operations at an unintended offset, potentially leading to incorrect packet handling or unexpected behavior in the filtering logic. The flaw aligns with CWE‑193 weaknesses.

Affected Systems

Any Linux kernel installation that loads the ipset modules and utilizes one of the four hash variants described above is potentially affected. The CVE specification does not list an explicit version range, which implies that all kernel releases prior to the delivery of the bug‑fix patch that incorporates the iterator logic change are vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity assessment. The EPSS score of < 1% indicates a very low exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation activity. Because the flaw resides in kernel networking code, an attacker would need the ability to create or modify ipset entries—typically requiring root or a privilege escalation vector—to trigger the bug. When exercised, the bug may cause packet filtering to operate incorrectly, but no documented remote attack path has been disclosed.

Generated by OpenCVE AI on June 25, 2026 at 03:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the ipset iterator bug fix
  • Reload the ipset modules for the affected hash variants so the updated code is in use
  • If a kernel upgrade cannot be applied immediately, avoid creating or using the hash:ip,mark; hash:ip,port; hash:ip,port,ip; and hash:ip,port,net ipset entries or temporarily disable ipset until the update is applied

Generated by OpenCVE AI on June 25, 2026 at 03:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Thu, 25 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-722

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-722

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: stop hash:* range iteration at end The following hash set variants: hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net iterate IPv4 ranges with a 32-bit iterator. The iterator must stop once the last address in the requested range has been processed. Advancing it once more can move the traversal state past the end of the request, so a later retry may continue from an unintended position. Handle the iterator increment explicitly at the end of the loop and stop once the upper bound has been processed. This keeps the existing retry behaviour intact for valid ranges while preventing traversal from continuing past the original boundary.
Title netfilter: ipset: stop hash:* range iteration at end
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:16.533Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52921

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52921 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T03:30:17Z

Weaknesses