HIGH
netfilter OptionWalker OOB
CVE-2026-43452
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
KernelScan AI5.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers.
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger a 1-byte out-of-bounds read in netfilter TCP/UDP and DCCP option parsing by sending crafted network packets to a system with netfilter rules that match TCP or DCCP packet options. This can leak up to 1 byte of adjacent kernel memory (stack or heap) per packet.
Vulnerability analysis
The vulnerability occurs in netfilter's TCP/UDP and DCCP option parsing code (xt_tcpudp and xt_dccp) where option walkers advance using 'i += op[i + 1] ? : 1'. When processing a packet whose TCP/DCCP options end with a non-single-byte option kind (value >= 2) as the final byte, the walker attempts to read op[i + 1] one byte past the end of the option area. This results in a 1-byte out-of-bounds read from either the local stack buffer or socket buffer memory. The bug is triggered during packet matching when a netfilter rule uses the tcp or dccp match extensions with option inspection. Any network-delivered packet (IPv4 or IPv6) that hits such a rule can trigger the vulnerability; the attacker does not need privileges on the target system.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | c2a445367a49 |
| 5.15 | 5.15.203 | ae1e12676506 |
| 6.1 | 6.1.167 | c39f84e4be1b |
| 6.12 | 6.12.78 | 5b18b8b35c7c |
| 6.18 | 6.18.19 | bc18551c6169 |
| 6.19 | 6.19.9 | d04800323336 |
| 6.6 | 6.6.130 | 9b94f0e42ed2 |
| mainline | 7.0 | cfe770220ac2 |