HIGHCVE-2026-43190Published Modified CNA Linux
CVE-2026-43190: netfilter: xt_tcpmss: check remaining length before reading optlen
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).
Metrics
- CVSS v3.1
- 8.2
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
007a9b32eaae792ff7d0fcac14d8920c937c0a9c35.10.2525.15.2025e13d0a37666955b6cfddc0f73cb40ed645b8a056.1.1656.6.1286.12.756.18.166.19.67.0735ee8582da3d239eb0c7a53adca61b79fb228b38b300f726640c48c3edfe9c453334dd801f4b74ecd5beda7e0e32865e214f28034bb92c1cecff885eaedc0bc18be46fe7f58170e967959a932c4f824f6c412dcfd76b0516d51aa847d8f4c7b70381b09f895191dc32c53eaf443b6443fe40945b2f92287
Affected packages
- Linux / Linux< f895191dc32c53eaf443b6443fe40945b2f92287 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < cd5beda7e0e32865e214f28034bb92c1cecff885 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < eaedc0bc18be46fe7f58170e967959a932c4f824 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 07a9b32eaae792ff7d0fcac14d8920c937c0a9c3 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 8b300f726640c48c3edfe9c453334dd801f4b74e (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 5e13d0a37666955b6cfddc0f73cb40ed645b8a05 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
- Linux / Linux2.6.12Fixed in 0, 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H