CVE-2026-45841

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO<br /> <br /> nf_osf_match_one() computes ctx-&gt;window % f-&gt;wss.val in the<br /> OSF_WSS_MODULO branch with no guard for f-&gt;wss.val == 0. A<br /> CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a<br /> subsequent matching TCP SYN divides by zero and panics the kernel.<br /> <br /> Reject the bogus fingerprint in nfnl_osf_add_callback() above the<br /> per-option for-loop. f-&gt;wss is per-fingerprint, not per-option, so<br /> the check must run regardless of f-&gt;opt_num (including 0). Also<br /> reject wss.wc &gt;= OSF_WSS_MAX; nf_osf_match_one() already treats that<br /> as "should not happen".<br /> <br /> Crash:<br /> Oops: divide error: 0000 [#1] SMP KASAN NOPTI<br /> RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)<br /> Call Trace:<br /> <br /> nf_osf_match (net/netfilter/nfnetlink_osf.c:220)<br /> xt_osf_match_packet (net/netfilter/xt_osf.c:32)<br /> ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)<br /> nf_hook_slow (net/netfilter/core.c:622)<br /> ip_local_deliver (net/ipv4/ip_input.c:265)<br /> ip_rcv (include/linux/skbuff.h:1162)<br /> __netif_receive_skb_one_core (net/core/dev.c:6181)<br /> process_backlog (net/core/dev.c:6642)<br /> __napi_poll (net/core/dev.c:7710)<br /> net_rx_action (net/core/dev.c:7945)<br /> handle_softirqs (kernel/softirq.c:622)