HIGH
netfilter TCPOption OOB
CVE-2026-43190
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
KernelScan AI7.9HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger an out-of-bounds read in the netfilter TCP MSS option parser by sending a crafted TCP packet to a system with xt_tcpmss rules. The parser reads past the TCP option buffer when the last option byte is not EOL/NOP, using the out-of-bounds value to advance the loop index. This can cause a kernel panic when unmapped memory is accessed, resulting in denial of service. Limited kernel memory exposure may also occur before a crash.
Vulnerability analysis
The vulnerability occurs in the TCP option parsing loop within xt_tcpmss.c. When processing TCP options, if the loop index reaches the final byte (i == optlen - 1) and that byte is not an EOL or NOP option (value >= 2), the code reads op[i+1] to determine the option length without validating that i+1 is within bounds. This out-of-bounds read accesses memory beyond the stack buffer _opt. Because the read value is used to advance the loop counter, subsequent iterations can access memory far beyond the buffer, potentially touching unmapped pages and causing a kernel panic. The fix adds a boundary check (i == optlen - 1) before accessing op[i+1].
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | f895191dc32c |
| 5.15 | 5.15.202 | cd5beda7e0e3 |
| 6.1 | 6.1.165 | eaedc0bc18be |
| 6.12 | 6.12.75 | 8b300f726640 |
| 6.18 | 6.18.16 | 5e13d0a37666 |
| 6.19 | 6.19.6 | f6c412dcfd76 |
| 6.6 | 6.6.128 | 07a9b32eaae7 |
| mainline | 7.0 | 735ee8582da3 |