CVE-2026-46244
Analyzed Analyzed - Analysis Complete
Linux Kernel IPv6 Inner Packet Header Desynchronization

Publication date: 2026-06-03

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong β€” points to extension header start) and l4proto (correct β€” e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-09
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-46244
EUVD
EUVD-2026-34106
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.7 (inc) to 6.12.92 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.34 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.142 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter nft_inner component when processing inner IPv6 packets. Specifically, the function ipv6_find_hdr() correctly calculates the transport header offset by traversing all IPv6 extension headers, but this correct result is immediately overwritten with a fixed offset that only accounts for the IPv6 base header. This causes a desynchronization between the transport header offset and the actual protocol header, which can lead to transport header forgery and potentially allow firewall bypass.

The issue affects stable Linux kernel versions starting from 6.2 and is fixed by removing the incorrect overwrite so that the correct transport header offset is preserved.

Impact Analysis

This vulnerability can allow an attacker to forge transport headers in IPv6 packets, which may enable them to bypass firewall rules that rely on correct header parsing. As a result, unauthorized network traffic could pass through security controls, potentially exposing systems to attacks or unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart