CVE-2026-46101

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: reject zero shift in nft_bitwise<br /> <br /> Reject zero shift operands for nft_bitwise left and right shift<br /> expressions during initialization.<br /> <br /> The carry propagation logic computes the carry from the adjacent 32-bit<br /> word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this<br /> into a 32-bit shift, which is undefined behaviour.<br /> <br /> Reject zero shift operands in the control plane, alongside the existing<br /> check for values greater than or equal to 32, so malformed rules never<br /> reach the packet path.