The nf_osf_ttl() function performs a lookup of the local interface address using skb->dev without first checking that the device pointer is valid. If the device pointer is NULL the kernel will dereference a null pointer, causing a kernel panic and a loss of system availability. The flaw also relies on an in_dev_for that incorrectly assumes packets from the same subnet should not lower the initial TTL, which could allow crafted packets to trigger the null dereference in modern containerised or virtualised environments. Accordingly, an attacker could send a packet that causes the system to crash, leading to a denial‑of‑service condition. This is consistent with a NULL Pointer Dereference.

All Linux kernel distributions that include the nfnetlink_osf subsystem before the patch referenced in the supplied commit logs are vulnerable. No specific version range is listed, so any kernel build containing the legacy nf_osf_ttl() implementation is at risk. Administrators should identify the exact kernel version in use and expect that kernels compiled from sources prior to the recent updates are affected.

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the nature of the bug – a kernel null dereference triggered by a network packet – suggests a high potential impact if an attacker can deliver a crafted packet. The CVSS score is not provided; however, the exploit appears feasible from a remote network endpoint due to the function’s placement in the netfilter stack. An attacker with sufficient packet crafting capabilities could exploit this flaw to cause a crash without requiring local privileges, making the risk significant for exposed services or public servers.