{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23397", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.011Z", "datePublished": "2026-03-26T10:22:49.954Z", "dateUpdated": "2026-04-18T08:58:32.483Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-18T08:58:32.483Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfnetlink_osf: validate individual option lengths in fingerprints\n\nnfnl_osf_add_callback() validates opt_num bounds and string\nNUL-termination but does not check individual option length fields.\nA zero-length option causes nf_osf_match_one() to enter the option\nmatching loop even when foptsize sums to zero, which matches packets\nwith no TCP options where ctx->optp is NULL:\n\n Oops: general protection fault\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n nf_osf_match (net/netfilter/nfnetlink_osf.c:227)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)\n nf_hook_slow (net/netfilter/core.c:623)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n\nAdditionally, an MSS option (kind=2) with length < 4 causes\nout-of-bounds reads when nf_osf_match_one() unconditionally accesses\noptp[2] and optp[3] for MSS value extraction. While RFC 9293\nsection 3.2 specifies that the MSS option is always exactly 4\nbytes (Kind=2, Length=4), the check uses \"< 4\" rather than\n\"!= 4\" because lengths greater than 4 do not cause memory\nsafety issues -- the buffer is guaranteed to be at least\nfoptsize bytes by the ctx->optsize == foptsize check.\n\nReject fingerprints where any option has zero length, or where an MSS\noption has length less than 4, at add time rather than trusting these\nvalues in the packet matching hot path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nfnetlink_osf.c"], "versions": [{"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "lessThan": "e9cf17b91e733fec725ebcc0b3098bc5ccd505e0", "status": "affected", "versionType": "git"}, {"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "lessThan": "3c11b5c2436a3a5b450612ab160e3a525b28cfb5", "status": "affected", "versionType": "git"}, {"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "lessThan": "aa0574182c46963c3cdb8cde46ec93aca21100d8", "status": "affected", "versionType": "git"}, {"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "lessThan": "224f4678812e1a7bc8341bcb666773a0aec5ea6f", "status": "affected", "versionType": "git"}, {"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "lessThan": "ec8bf0571b142f29dc0b68ae2ac3952f7a464b38", "status": "affected", "versionType": "git"}, {"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "lessThan": "3932620c04c2938c93c0890c225960d3d34ba355", "status": "affected", "versionType": "git"}, {"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "lessThan": "4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6", "status": "affected", "versionType": "git"}, {"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "lessThan": "dbdfaae9609629a9569362e3b8f33d0a20fd783c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nfnetlink_osf.c"], "versions": [{"version": "2.6.31", "status": "affected"}, {"version": "0", "lessThan": "2.6.31", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e9cf17b91e733fec725ebcc0b3098bc5ccd505e0"}, {"url": "https://git.kernel.org/stable/c/3c11b5c2436a3a5b450612ab160e3a525b28cfb5"}, {"url": "https://git.kernel.org/stable/c/aa0574182c46963c3cdb8cde46ec93aca21100d8"}, {"url": "https://git.kernel.org/stable/c/224f4678812e1a7bc8341bcb666773a0aec5ea6f"}, {"url": "https://git.kernel.org/stable/c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38"}, {"url": "https://git.kernel.org/stable/c/3932620c04c2938c93c0890c225960d3d34ba355"}, {"url": "https://git.kernel.org/stable/c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6"}, {"url": "https://git.kernel.org/stable/c/dbdfaae9609629a9569362e3b8f33d0a20fd783c"}], "title": "nfnetlink_osf: validate individual option lengths in fingerprints", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "57E89197-6305-4D47-AE24-4D5D20CC8429", "versionEndExcluding": "5.10.253", "versionStartIncluding": "2.6.31.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31:-:*:*:*:*:*:*", "matchCriteriaId": "2887290A-1B43-4DB9-A9D0-B0B56CD78E48", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfnetlink_osf: validate individual option lengths in fingerprints\n\nnfnl_osf_add_callback() validates opt_num bounds and string\nNUL-termination but does not check individual option length fields.\nA zero-length option causes nf_osf_match_one() to enter the option\nmatching loop even when foptsize sums to zero, which matches packets\nwith no TCP options where ctx->optp is NULL:\n\n Oops: general protection fault\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n nf_osf_match (net/netfilter/nfnetlink_osf.c:227)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)\n nf_hook_slow (net/netfilter/core.c:623)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n\nAdditionally, an MSS option (kind=2) with length < 4 causes\nout-of-bounds reads when nf_osf_match_one() unconditionally accesses\noptp[2] and optp[3] for MSS value extraction. While RFC 9293\nsection 3.2 specifies that the MSS option is always exactly 4\nbytes (Kind=2, Length=4), the check uses \"< 4\" rather than\n\"!= 4\" because lengths greater than 4 do not cause memory\nsafety issues -- the buffer is guaranteed to be at least\nfoptsize bytes by the ctx->optsize == foptsize check.\n\nReject fingerprints where any option has zero length, or where an MSS\noption has length less than 4, at add time rather than trusting these\nvalues in the packet matching hot path."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnfnetlink_osf: validar longitudes de opciones individuales en huellas digitales\n\nnfnl_osf_add_callback() valida los l\u00edmites de opt_num y la terminaci\u00f3n NUL de cadena, pero no verifica los campos de longitud de opciones individuales. Una opci\u00f3n de longitud cero hace que nf_osf_match_one() entre en el bucle de coincidencia de opciones incluso cuando foptsize suma cero, lo que coincide con paquetes sin opciones TCP donde ctx-&gt;optp es NULL:\n\n Oops: fallo de protecci\u00f3n general\n KASAN: desreferencia de puntero nulo en el rango [0x0000000000000000-0x0000000000000007]\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Traza de llamada:\n nf_osf_match (net/netfilter/nfnetlink_osf.c:227)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)\n nf_hook_slow (net/netfilter/core.c:623)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n\nAdem\u00e1s, una opci\u00f3n MSS (tipo=2) con longitud &lt; 4 causa lecturas fuera de l\u00edmites cuando nf_osf_match_one() accede incondicionalmente a optp[2] y optp[3] para la extracci\u00f3n del valor MSS. Si bien la secci\u00f3n 3.2 de RFC 9293 especifica que la opci\u00f3n MSS es siempre exactamente de 4 bytes (Tipo=2, Longitud=4), la verificaci\u00f3n usa '&lt; 4' en lugar de '!= 4' porque las longitudes mayores que 4 no causan problemas de seguridad de la memoria -- el b\u00fafer est\u00e1 garantizado para ser de al menos foptsize bytes por la verificaci\u00f3n ctx-&gt;optsize == foptsize.\n\nRechazar huellas digitales donde cualquier opci\u00f3n tenga longitud cero, o donde una opci\u00f3n MSS tenga longitud menor que 4, en el momento de la adici\u00f3n en lugar de confiar en estos valores en la ruta cr\u00edtica de coincidencia de paquetes."}], "id": "CVE-2026-23397", "lastModified": "2026-04-24T15:18:09.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T11:16:19.720", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/224f4678812e1a7bc8341bcb666773a0aec5ea6f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3932620c04c2938c93c0890c225960d3d34ba355"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3c11b5c2436a3a5b450612ab160e3a525b28cfb5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aa0574182c46963c3cdb8cde46ec93aca21100d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dbdfaae9609629a9569362e3b8f33d0a20fd783c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e9cf17b91e733fec725ebcc0b3098bc5ccd505e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Linux kernel: nfnetlink_osf: Linux kernel: Denial of Service in nfnetlink_osf via crafted network packets", "id": "2451664", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451664"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-130", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnfnetlink_osf: validate individual option lengths in fingerprints\nnfnl_osf_add_callback() validates opt_num bounds and string\nNUL-termination but does not check individual option length fields.\nA zero-length option causes nf_osf_match_one() to enter the option\nmatching loop even when foptsize sums to zero, which matches packets\nwith no TCP options where ctx->optp is NULL:\nOops: general protection fault\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\nCall Trace:\nnf_osf_match (net/netfilter/nfnetlink_osf.c:227)\nxt_osf_match_packet (net/netfilter/xt_osf.c:32)\nipt_do_table (net/ipv4/netfilter/ip_tables.c:293)\nnf_hook_slow (net/netfilter/core.c:623)\nip_local_deliver (net/ipv4/ip_input.c:262)\nip_rcv (net/ipv4/ip_input.c:573)\nAdditionally, an MSS option (kind=2) with length < 4 causes\nout-of-bounds reads when nf_osf_match_one() unconditionally accesses\noptp[2] and optp[3] for MSS value extraction. While RFC 9293\nsection 3.2 specifies that the MSS option is always exactly 4\nbytes (Kind=2, Length=4), the check uses \"< 4\" rather than\n\"!= 4\" because lengths greater than 4 do not cause memory\nsafety issues -- the buffer is guaranteed to be at least\nfoptsize bytes by the ctx->optsize == foptsize check.\nReject fingerprints where any option has zero length, or where an MSS\noption has length less than 4, at add time rather than trusting these\nvalues in the packet matching hot path.", "A flaw was found in the nfnetlink_osf module of the Linux kernel. A remote attacker could send specially crafted network packets containing malformed options, such as zero-length options or a Maximum Segment Size (MSS) option with an invalid length. This could lead to a system crash, resulting in a Denial of Service (DoS), which makes the system unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the nfnetlink_osf and xt_osf modules from being loaded. See https://access.redhat.com/solutions/41278 for instructions."}, "name": "CVE-2026-23397", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T10:22:49Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23397\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23397\nhttps://lore.kernel.org/linux-cve-announce/2026032634-CVE-2026-23397-d4f0@gregkh/T"], "statement": "Exploitation of this vulnerability requires CAP_NET_ADMIN privileges to load the malicious OS fingerprint via nfnl_osf_add_callback(). Network packets then trigger the crash during fingerprint matching. Since setting up the vulnerable condition requires elevated privileges, and the impact is limited to denial of service, the risk is reduced compared to a purely remote attack.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384,aa0574182c46963c3cdb8cde46ec93aca21100d8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384,224f4678812e1a7bc8341bcb666773a0aec5ea6f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384,ec8bf0571b142f29dc0b68ae2ac3952f7a464b38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384,3932620c04c2938c93c0890c225960d3d34ba355)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384,4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384,dbdfaae9609629a9569362e3b8f33d0a20fd783c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.31"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,2.6.31)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T09:02:58.074879+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the nfnetlink_osf validation patch.", "Reboot the system to ensure the patched kernel is active.", "Monitor kernel logs for nf_osf_match_one crashes and verify the patch's effectiveness."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Any Linux system running a kernel that includes the nfnetlink_osf driver but lacks the patch is affected. The affected products are Linux kernel releases compiled with nfnetlink_osf enabled. The list of affected kernel versions is not explicitly provided, so any kernel prior to the fix should be considered vulnerable.", "description_and_impact": "In the Linux kernel, the nfnetlink_osf fingerprinting subsystem fails to validate the length of individual TCP option entries. A zero\u2011length option or an MSS option shorter than four bytes bypasses the expected checks, causing nf_osf_match_one to dereference a null or out\u2011of\u2011bounds pointer during packet matching. This leads to a kernel general protection fault and a KASAN null\u2011ptr dereference, resulting in a system crash. The bug does not provide direct code execution or privilege escalation, but the crash can be triggered remotely by sending crafted packets, resulting in denial of service for the affected host.", "risk_and_exploitability": "The CVSS score is 7.1, indicating a high severity. The EPSS score is below 1\u202f%, showing a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to send specially crafted packets to a host that processes nfnetlink_osf fingerprints, which is typically part of the netfilter packet filtering subsystem. While the immediate impact is a denial of service, there is no evidence of arbitrary code execution or privilege escalation."}}}}, "created": "2026-03-26T13:54:54.928912+00:00", "updated": "2026-04-28T09:15:09.678327+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}