CVE-2026-46244

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_inner: Fix IPv6 inner_thoff desync<br /> <br /> In nft_inner_parse_l2l3(), when processing inner IPv6 packets,<br /> ipv6_find_hdr() correctly computes the transport header offset<br /> traversing all extension headers, but the result is immediately<br /> overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only<br /> accounts for the IPv6 base header. This creates a desync between<br /> inner_thoff (wrong — points to extension header start) and l4proto<br /> (correct — e.g., IPPROTO_TCP), enabling transport header forgery<br /> and potential firewall bypass. This issue affects stable versions<br /> from Linux 6.2.<br /> <br /> For comparison, the normal (non-inner) IPv6 path correctly<br /> preserves ipv6_find_hdr()&amp;#39;s result. Removing the incorrect overwrite<br /> ensures that ipv6_find_hdr()&amp;#39;s calculated transport header offset is<br /> preserved, thereby fixing the desynchronization.