Impact
The nf_osf_ttl() function in the nfnetlink_osf subsystem accesses skb->dev to perform a local interface address lookup without verifying that the device pointer was valid. The description notes that this missing check could result in a null pointer dereference when skb->dev is NULL, which would lead the kernel to crash and render the system unavailable. The implementation also used an in_dev_for_each_ifa_rcu loop that assumed packets from the same subnet would not experience a TTL decrement, a premise that does not hold in modern containerized or virtualized environments. Consequently, a packet crafted to reach this code path could trigger the null dereference, causing a kernel panic and a denial‑of‑service condition.
Affected Systems
All Linux kernel distributions that include the nfnetlink_osf subsystem before the patch referenced in the supplied commit logs are vulnerable. No specific version range is listed, so any nf_osf_ttl() implementation in that code path is at risk. Administrators should identify the exact kernel version in use and expect that kernels compiled from sources prior to the recent updates are affected.
Risk and Exploitability
The EPSS score of < 1% indicates a very low estimated exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 7.5 classifies this flaw as high severity, meaning a successful exploit could produce significant system impact. Based on the description, it is inferred that an attacker would need to send a crafted network packet that reaches the nfnetlink_osf subsystem to trigger the null dereference. The description does not explicitly state the attack vector, but the location in the netfilter stack suggests that a remote attacker could exploit this from an external network if the target processes packets that traverse the nfnetlink_osf code path. While the likelihood of exploitation remains low, the impact of a successful exploit—kernel panic and denial of service—is significant for exposed services or public servers.
OpenCVE Enrichment
Debian DLA