CVE-2026-52998

HIGH

netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check The nf_osf_ttl() function accessed skb->dev to perform a local interface address lookup without verifying that the device pointer was valid. Additionally, the implementation utilized an in_dev_for_each_ifa_rcu loop to match the packet source address against local interface addresses. It assumed that packets from the same subnet should not see a decrement on the initial TTL. A packet might appear it is from the same subnet but it actually isn't especially in modern environments with containers and virtual switching. Remove the device dereference and interface loop. Replace the logic with a switch statement that evaluates the TTL according to the ttl_check.

Scores

CVSS v3 7.5
EPSS 0.0051
EPSS Percentile 39.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (25)
linux/Kernel 2.6.31 - 5.10.258linux
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 6.13.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
linux/Kernel 6.2.0 - 6.6.141linux
linux/Kernel 6.7.0 - 6.12.91linux
Linux/Linux < 2.6.31
Linux/Linux 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 - 5d05de2f0928d81309a815ecc76d1a3ad72cbc16
Linux/Linux 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 - 711987ba281fd806322a7cd244e98e2a81903114
... and 15 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026