CVE-2026-23397
Published: 26 March 2026
Summary
CVE-2026-23397 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of netlink fingerprint option lengths to prevent malformed inputs from causing null pointer dereferences or out-of-bounds reads during packet matching.
Mandates timely remediation of the kernel flaw through application of upstream patches that reject invalid fingerprint options at addition time.
Ensures the kernel handles invalid option lengths and zero foptsize gracefully without entering faulty matching loops or accessing invalid memory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read/null deref in nfnetlink_osf/xt_osf enables DoS via system exploitation (crash on packet processing) and info disclosure from kernel memory.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the…
more
option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check. Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.
Deeper analysisAI
CVE-2026-23397 is a vulnerability in the Linux kernel's nfnetlink_osf module, which manages OS fingerprinting callbacks for netfilter, and the associated xt_osf iptables match extension. The issue arises because nfnl_osf_add_callback() validates option numbers and string NUL-termination but fails to check individual option length fields in fingerprints. A zero-length option triggers nf_osf_match_one() to enter a matching loop despite a zero foptsize sum, leading to a null pointer dereference when ctx->optp is NULL during packet processing. Additionally, an MSS option (kind=2) with length less than 4 causes out-of-bounds reads, as the function unconditionally accesses optp[2] and optp[3] for MSS value extraction.
A local attacker with low privileges can exploit this by submitting a malformed fingerprint via netlink, which gets accepted without proper length validation. When the kernel processes incoming TCP packets against an iptables rule using the xt_osf matcher—such as during ip_local_deliver—the malformed fingerprint triggers either a general protection fault from null pointer dereference or out-of-bounds reads from invalid MSS options. This results in kernel crashes or potential information disclosure, with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) and classification under CWE-125 (Out-of-Bounds Read).
Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes: they reject fingerprints with zero-length options or MSS options shorter than 4 bytes during the add callback, preventing malformed data from reaching the packet matching hot path. The patches address the issues in net/netfilter/nfnetlink_osf.c and related components without altering existing valid fingerprints.
Details
- CWE(s)