CVE-2026-52999
Received Received - Intake
Buffer Over-Read in Linux Kernel Netfilter OSF Module

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix out-of-bounds read on option matching In nf_osf_match(), the nf_osf_hdr_ctx structure is initialized once and passed by reference to nf_osf_match_one() for each fingerprint checked. During TCP option parsing, nf_osf_match_one() advances the shared ctx->optp pointer. If a fingerprint perfectly matches, the function returns early without restoring ctx->optp to its initial state. If the user has configured NF_OSF_LOGLEVEL_ALL, the loop continues to the next fingerprint. However, because ctx->optp was not restored, the next call to nf_osf_match_one() starts parsing from the end of the options buffer. This causes subsequent matches to read garbage data and fail immediately, making it impossible to log more than one match or logging incorrect matches. Instead of using a shared ctx->optp pointer, pass the context as a constant pointer and use a local pointer (optp) for TCP option traversal. This makes nf_osf_match_one() strictly stateless from the caller's perspective, ensuring every fingerprint check starts at the correct option offset.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52999
EUVD
EUVD-2026-38867
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nfnetlink_osf module responsible for matching TCP fingerprints.

The issue arises because a shared pointer (ctx->optp) used during TCP option parsing is advanced as fingerprints are checked, but not reset when a perfect match is found. This causes subsequent fingerprint checks to start parsing from an incorrect position, leading to out-of-bounds reads.

As a result, the system may read garbage data or fail to log multiple matches correctly. The fix involves making the parsing function stateless by using a local pointer for TCP option traversal instead of a shared one, ensuring each fingerprint check starts at the correct offset.

Impact Analysis

This vulnerability can impact the accuracy and reliability of TCP fingerprint matching and logging in the Linux kernel's netfilter subsystem.

Specifically, it can cause out-of-bounds reads leading to incorrect or failed logging of multiple fingerprint matches. This may result in incomplete or misleading network traffic analysis and monitoring.

While it does not directly indicate a system compromise, the inability to properly log or detect multiple fingerprints could reduce the effectiveness of security monitoring and intrusion detection mechanisms.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52999. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart