Description
In the Linux kernel, the following vulnerability has been resolved:

ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options

This patch restricts setting Loose Source and Record Route (LSRR)
and Strict Source and Record Route (SSRR) IP options to users
with CAP_NET_RAW capability.

This prevents unprivileged applications from forcing packets to route
through attacker-controlled nodes to leak TCP ISN and possibly other
protocol information.

While LSRR and SSRR are commonly filtered in many network environments,
they may still be supported and forwarded along some network paths.

RFC 7126 (Recommendations on Filtering of IPv4 Packets Containing
IPv4 Options) recommend to drop these options in 4.3 and 4.4.
Published: 2026-06-25
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows unprivileged applications to set the Loose Source and Record Route (LSRR) and Strict Source and Record Route (SSRR) IP options without CAP_NET_RAW capability. By forcing packets to be routed through attacker‑controlled nodes, an adversary can observe TCP initial sequence numbers and other protocol data, providing a means to leak potentially sensitive connection information. This defect originates from improper privilege enforcement, as described by CWE‑266, allowing privileged network behavior to be performed by a non‑privileged user.

Affected Systems

Affected systems are any deployments of the Linux kernel, as indicated by the kernel CPE string are enumerated in the available data, so any kernel that has notS IPOPT_SSRR and IPOPT_LSRR options remains vulnerable.

Risk and Exploitability

The CVSS score of 7.0 indicates high severity. The EPSS score is < 1%, showing a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, as the vulnerability allows a local user process to send packets with these options, a capability normally restricted to privileged users. Given that LSRR and SSRR remain enabled in some network environments, exploitation could leak TCP ISNs and other protocol data from forwarded traffic.

Generated by OpenCVE AI on June 26, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch which restricts IPOPT_SSRR and IPOPT_LSRR options to CAP_NET_RAW users.
  • If a kernel upgrade is not yet possible, configure firewall or network device rules (iptables, nftables, or equivalent) to drop any packets containing LSRR or SSRR IP options.
  • Monitor system logs for attempts to send packets with these IP options and verify that only privileged processes are generating them.

Generated by OpenCVE AI on June 26, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options This patch restricts setting Loose Source and Record Route (LSRR) and Strict Source and Record Route (SSRR) IP options to users with CAP_NET_RAW capability. This prevents unprivileged applications from forcing packets to route through attacker-controlled nodes to leak TCP ISN and possibly other protocol information. While LSRR and SSRR are commonly filtered in many network environments, they may still be supported and forwarded along some network paths. RFC 7126 (Recommendations on Filtering of IPv4 Packets Containing IPv4 Options) recommend to drop these options in 4.3 and 4.4.
Title ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:41.971Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53249

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53249 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment