CVE-2026-45841
Received Received - Intake
Divide-by-Zero in Linux Kernel Netfilter OSF Module

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel. Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as "should not happen". Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: <IRQ> nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-45841
EUVD
EUVD-2026-32167
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nfnetlink_osf module. The function nf_osf_match_one() performs a modulo operation without checking if the divisor (f->wss.val) is zero. A user with CAP_NET_ADMIN privileges can add a fingerprint with a zero value for f->wss.val via nfnetlink. When a TCP SYN packet is matched against this fingerprint, the kernel attempts to divide by zero, causing a kernel panic and crash.


How can this vulnerability impact me? :

The vulnerability can cause the Linux kernel to crash (kernel panic) when processing certain network packets. This results in a denial of service (DoS) condition, potentially disrupting network services and system availability. Since the crash is triggered by a privileged user adding a malicious fingerprint, it could be exploited to destabilize systems running vulnerable kernel versions.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes a kernel panic due to a divide-by-zero error in the nfnetlink_osf module when a malicious fingerprint with wss.val equal to zero is added by a CAP_NET_ADMIN user.

Detection can focus on monitoring for kernel panic logs or crash messages related to nf_osf_match_one or nfnetlink_osf, specifically looking for divide error oops messages.

Since the vulnerability involves the addition of a malicious fingerprint via nfnetlink, commands to check for unusual or suspicious OS fingerprint rules in netfilter could help.

  • Check kernel logs for crash messages: `dmesg | grep -i 'nf_osf_match_one'` or `dmesg | grep -i 'divide error'`
  • List current OS fingerprint rules using iptables or nftables commands, for example: `iptables -m osf --help` or `iptables -L -v` to inspect OS fingerprinting rules.
  • Monitor for suspicious nfnetlink messages or configurations that add OS fingerprints with wss.val set to zero.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves preventing the addition of malicious OS fingerprints with wss.val equal to zero by unprivileged users.

Since the vulnerability requires CAP_NET_ADMIN privileges to add such fingerprints, restricting access to users with this capability is critical.

Applying the patch that rejects bogus fingerprints in nfnl_osf_add_callback() is the definitive fix.

  • Restrict CAP_NET_ADMIN capability to trusted users only.
  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Monitor kernel logs for any signs of crashes related to this issue and reboot the system if a kernel panic occurs.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart