CVE-2026-52921
Analyzed Analyzed - Analysis Complete

Netfilter Hash Set Range Iteration Boundary Fix

Vulnerability report for CVE-2026-52921, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: stop hash:* range iteration at end The following hash set variants: hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net iterate IPv4 ranges with a 32-bit iterator. The iterator must stop once the last address in the requested range has been processed. Advancing it once more can move the traversal state past the end of the request, so a later retry may continue from an unintended position. Handle the iterator increment explicitly at the end of the loop and stop once the upper bound has been processed. This keeps the existing retry behaviour intact for valid ranges while preventing traversal from continuing past the original boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 16 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.14
linux linux_kernel 4.14
linux linux_kernel 4.14
linux linux_kernel 4.14
linux linux_kernel 4.14
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.92 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.34 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.142 (exc)
linux linux_kernel From 4.14.1 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability in the Linux kernel's netfilter ipset component involves improper handling of IPv4 range iteration in certain hash set variants. Specifically, the iterator can advance past the end of the requested range, potentially causing traversal to continue from an unintended position during retries.

The impact could include unexpected behavior in network filtering or firewall rules that rely on these ipset hash sets, possibly leading to incorrect packet filtering or security policy enforcement.

Executive Summary

This vulnerability exists in the Linux kernel's netfilter ipset feature, specifically in certain hash set variants that iterate over IPv4 address ranges using a 32-bit iterator.

The problem occurs because the iterator does not stop correctly after processing the last address in the requested range. If the iterator advances once more beyond the end, it can cause the traversal state to move past the intended boundary.

As a result, a later retry of the iteration may continue from an unintended position, potentially causing unexpected behavior.

The fix involves explicitly handling the iterator increment at the end of the loop and stopping once the upper bound has been processed, preventing traversal beyond the original boundary while maintaining valid retry behavior.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the iterator handling in netfilter ipset hash set variants.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52921. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart