CVE-2026-23397
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
26/03/2026
Last modified:
24/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nfnetlink_osf: validate individual option lengths in fingerprints<br />
<br />
nfnl_osf_add_callback() validates opt_num bounds and string<br />
NUL-termination but does not check individual option length fields.<br />
A zero-length option causes nf_osf_match_one() to enter the option<br />
matching loop even when foptsize sums to zero, which matches packets<br />
with no TCP options where ctx->optp is NULL:<br />
<br />
Oops: general protection fault<br />
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br />
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)<br />
Call Trace:<br />
nf_osf_match (net/netfilter/nfnetlink_osf.c:227)<br />
xt_osf_match_packet (net/netfilter/xt_osf.c:32)<br />
ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)<br />
nf_hook_slow (net/netfilter/core.c:623)<br />
ip_local_deliver (net/ipv4/ip_input.c:262)<br />
ip_rcv (net/ipv4/ip_input.c:573)<br />
<br />
Additionally, an MSS option (kind=2) with length
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.31.1 (including) | 5.10.253 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.203 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.167 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.130 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.78 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.20 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:2.6.31:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/224f4678812e1a7bc8341bcb666773a0aec5ea6f
- https://git.kernel.org/stable/c/3932620c04c2938c93c0890c225960d3d34ba355
- https://git.kernel.org/stable/c/3c11b5c2436a3a5b450612ab160e3a525b28cfb5
- https://git.kernel.org/stable/c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6
- https://git.kernel.org/stable/c/aa0574182c46963c3cdb8cde46ec93aca21100d8
- https://git.kernel.org/stable/c/dbdfaae9609629a9569362e3b8f33d0a20fd783c
- https://git.kernel.org/stable/c/e9cf17b91e733fec725ebcc0b3098bc5ccd505e0
- https://git.kernel.org/stable/c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38