CVE-2026-23397
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
26/03/2026
Última modificación:
26/03/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nfnetlink_osf: validate individual option lengths in fingerprints<br />
<br />
nfnl_osf_add_callback() validates opt_num bounds and string<br />
NUL-termination but does not check individual option length fields.<br />
A zero-length option causes nf_osf_match_one() to enter the option<br />
matching loop even when foptsize sums to zero, which matches packets<br />
with no TCP options where ctx->optp is NULL:<br />
<br />
Oops: general protection fault<br />
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br />
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)<br />
Call Trace:<br />
nf_osf_match (net/netfilter/nfnetlink_osf.c:227)<br />
xt_osf_match_packet (net/netfilter/xt_osf.c:32)<br />
ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)<br />
nf_hook_slow (net/netfilter/core.c:623)<br />
ip_local_deliver (net/ipv4/ip_input.c:262)<br />
ip_rcv (net/ipv4/ip_input.c:573)<br />
<br />
Additionally, an MSS option (kind=2) with length
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/224f4678812e1a7bc8341bcb666773a0aec5ea6f
- https://git.kernel.org/stable/c/3932620c04c2938c93c0890c225960d3d34ba355
- https://git.kernel.org/stable/c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6
- https://git.kernel.org/stable/c/aa0574182c46963c3cdb8cde46ec93aca21100d8
- https://git.kernel.org/stable/c/dbdfaae9609629a9569362e3b8f33d0a20fd783c
- https://git.kernel.org/stable/c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38