Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check

The nf_osf_ttl() function accessed skb->dev to perform a local interface
address lookup without verifying that the device pointer was valid.

Additionally, the implementation utilized an in_dev_for_each_ifa_rcu
loop to match the packet source address against local interface
addresses. It assumed that packets from the same subnet should not see a
decrement on the initial TTL. A packet might appear it is from the same
subnet but it actually isn't especially in modern environments with
containers and virtual switching.

Remove the device dereference and interface loop. Replace the logic with
a switch statement that evaluates the TTL according to the ttl_check.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The nf_osf_ttl() function in the nfnetlink_osf subsystem accesses skb->dev to perform a local interface address lookup without verifying that the device pointer was valid. The description notes that this missing check could result in a null pointer dereference when skb->dev is NULL, which would lead the kernel to crash and render the system unavailable. The implementation also used an in_dev_for_each_ifa_rcu loop that assumed packets from the same subnet would not experience a TTL decrement, a premise that does not hold in modern containerized or virtualized environments. Consequently, a packet crafted to reach this code path could trigger the null dereference, causing a kernel panic and a denial‑of‑service condition.

Affected Systems

All Linux kernel distributions that include the nfnetlink_osf subsystem before the patch referenced in the supplied commit logs are vulnerable. No specific version range is listed, so any nf_osf_ttl() implementation in that code path is at risk. Administrators should identify the exact kernel version in use and expect that kernels compiled from sources prior to the recent updates are affected.

Risk and Exploitability

The EPSS score of < 1% indicates a very low estimated exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 7.5 classifies this flaw as high severity, meaning a successful exploit could produce significant system impact. Based on the description, it is inferred that an attacker would need to send a crafted network packet that reaches the nfnetlink_osf subsystem to trigger the null dereference. The description does not explicitly state the attack vector, but the location in the netfilter stack suggests that a remote attacker could exploit this from an external network if the target processes packets that traverse the nfnetlink_osf code path. While the likelihood of exploitation remains low, the impact of a successful exploit—kernel panic and denial of service—is significant for exposed services or public servers.

Generated by OpenCVE AI on June 28, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that contains the nfnetlink_osf patch, disable the nfnetlink_osf subsystem or block traffic that can reach the offending code path via firewall rules
  • Consider temporarily restricting or monitoring nffilter traffic to mitigate potential instability until a kernel update can be applied
  • Configure firewall rules to drop packets with suspicious TTL or missing device references that could trigger nfnetlink_osf, reducing the risk of exploitation

Generated by OpenCVE AI on June 28, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check The nf_osf_ttl() function accessed skb->dev to perform a local interface address lookup without verifying that the device pointer was valid. Additionally, the implementation utilized an in_dev_for_each_ifa_rcu loop to match the packet source address against local interface addresses. It assumed that packets from the same subnet should not see a decrement on the initial TTL. A packet might appear it is from the same subnet but it actually isn't especially in modern environments with containers and virtual switching. Remove the device dereference and interface loop. Replace the logic with a switch statement that evaluates the TTL according to the ttl_check.
Title netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:37:48.038Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-52998

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52998 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:15:05Z

Weaknesses