CVE-2026-23397
Received Received - Intake
Out-of-Bounds Read in Linux nfnetlink_osf Causes Kernel Crash

Publication date: 2026-03-26

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check. Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-03-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23397
EUVD
EUVD-2026-16157
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.31
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 2.6.31.1 (inc) to 5.10.253 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's nfnetlink_osf module, which handles fingerprint matching for network packets.

The issue arises because the function nfnl_osf_add_callback() validates some aspects of options like their number and string termination, but it does not check the length of individual options.

If an option has zero length, the matching function nf_osf_match_one() enters a loop expecting options even when there are none, leading to a null pointer dereference and a general protection fault (kernel crash).

Additionally, if the MSS (Maximum Segment Size) TCP option has a length less than 4 bytes, nf_osf_match_one() reads out-of-bounds memory because it assumes the MSS option is always exactly 4 bytes as per RFC 9293.

The fix involves rejecting fingerprints with zero-length options or MSS options shorter than 4 bytes during the addition phase, preventing unsafe packet matching later.


How can this vulnerability impact me? :

This vulnerability can cause a kernel crash (general protection fault) due to null pointer dereference when processing specially crafted network packets.

Such crashes can lead to denial of service (DoS) conditions on affected Linux systems, potentially disrupting network services or other critical operations.

In addition, out-of-bounds memory reads caused by malformed MSS options could potentially expose kernel memory contents, although the description does not explicitly confirm information disclosure.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by rejecting fingerprints where any option has zero length or where an MSS option has length less than 4 at add time rather than trusting these values in the packet matching hot path.

Therefore, immediate mitigation steps include updating the Linux kernel to a version where this fix is applied to ensure proper validation of option lengths in nfnetlink_osf.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the Linux kernel's nfnetlink_osf module improperly validating TCP fingerprint options, which can cause kernel crashes or memory safety issues.

Detection would involve monitoring for kernel oops or crashes related to nf_osf_match_one or nfnetlink_osf components, especially general protection faults or null pointer dereferences in the kernel logs.

You can check your kernel logs for such errors using commands like:

  • dmesg | grep -i 'nf_osf_match_one'
  • journalctl -k | grep -i 'nf_osf_match_one'
  • grep -i 'general protection fault' /var/log/kern.log

Additionally, monitoring for suspicious TCP packets with malformed TCP options (zero-length options or MSS options with length less than 4) could help detect attempts to trigger this vulnerability, but specific packet capture filters or scripts would need to be developed for this purpose.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart