CVE-2026-45844
Received Received - Intake
Linux Kernel IEEE1394 ARP Payload Parsing Flaw

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload parsing Weiming Shi says: "arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices. As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa. The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()." Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394. Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394. Moreover, adjust arpt_mangle to drop the packet too as AI suggests: In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload. This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported. Based on patch from Weiming Shi <[email protected]>.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-45844
EUVD
EUVD-2026-32170
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter ARP tables handling for IEEE1394 (FireWire) interfaces. The arp_packet_match() function incorrectly assumes that ARP packets always contain two hardware addresses (source and target). However, for IPv4-over-IEEE1394 ARP packets, the target hardware address is omitted according to RFC 2734.

Because arp_packet_match() tries to parse a non-existent target hardware address, it reads incorrect bytes for the target device and IP address comparisons. This causes arptables rules to match against invalid data, leading to incorrect filtering decisions where packets that should be accepted might be dropped and vice versa.

The fix involves modifying arp_packet_match() to always return no match (0) when matching on the target hardware address for IEEE1394 devices, since such matching is unsupported. Additionally, the arpt_mangle function is adjusted to drop packets when mangling is requested on these fields for IEEE1394, preventing packet corruption caused by incorrect offset calculations.


How can this vulnerability impact me? :

This vulnerability can cause incorrect packet filtering on IEEE1394 network interfaces. Specifically, packets that should be accepted might be dropped, and packets that should be dropped might be accepted due to the misinterpretation of ARP payload data.

Such incorrect filtering can lead to network communication issues, potentially disrupting legitimate traffic or allowing unwanted traffic through the firewall rules.

Additionally, attempts to mangle (modify) certain ARP fields on IEEE1394 devices could corrupt packets, leading to further network instability or failures.


What immediate steps should I take to mitigate this vulnerability?

This vulnerability affects the arp_tables component of the Linux kernel's netfilter system, specifically on IEEE1394 (FireWire) interfaces where ARP payload parsing is incorrect.

Immediate mitigation steps include applying the patch that fixes arp_packet_match() to correctly handle the missing target hardware address in IEEE1394 ARP packets.

Additionally, the patch causes packets that request mangling of the target hardware or IP address on IEEE1394 devices to be dropped to prevent packet corruption.

Therefore, to mitigate this vulnerability, update your Linux kernel to a version that includes this fix or apply the relevant patch to ensure correct ARP payload parsing and safe packet handling on IEEE1394 interfaces.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart