CVE-2026-46244: netfilter: nft_inner: Fix IPv6 inner_thoff desync
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A firewall bypass vulnerability exists in the Linux kernel's netfilter subsystem, specifically in the nft_inner module responsible for parsing inner IPv6 packet headers. The flaw is reachable over the network without any authentication, by sending crafted IPv6 packets with extension headers to a host running an affected kernel with nftables inner-packet inspection rules. Successful exploitation lets an attacker forge transport-layer header data, causing nftables to evaluate incorrect protocol offsets and bypass firewall rules entirely, which may allow traffic that should be blocked to pass through undetected. Patched-image rebuilds at versions 6.6.142, 6.12.92, and 6.18.34 (and the associated commit) are available on HarborGuard for environments running affected kernel versions.
HarborGuard Coverage
Detection capability for CVE-2026-46244 is available across every HarborGuard environment, with ingestion from upstream kernel security feeds occurring within minutes of publication and matching applied against all customer images, including custom-built images that bundle an affected Linux kernel version. Any image in a connected registry or CI pipeline that carries a kernel in the affected range (6.2 through the fix commits) is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 9.1 (Critical) using the published v3.1 vector and weights it against each environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within the customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at the applicable fix version (6.6.142, 6.12.92, or 6.18.34 depending on the kernel branch in use) becomes available through HarborGuard once the upstream fix is confirmed against the scanned image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads; where compliance policy permits, this flow typically completes within roughly 90 minutes of CVE publication for Critical-severity findings.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to send IPv6 packets to the target host over the network; no local access is required.
- AuthenticationNot required
No account, credential, or session is needed to send the malformed IPv6 packets that trigger the offset desync.
- Victim interactionNot required
Exploitation is passive from the victim's perspective; no user action or click is required.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites beyond sending crafted packets.
Blast Radius
- An attacker reads confidential data from network streams that firewall rules were intended to block, because those rules are silently bypassed due to the forged transport header offset.
- An attacker injects or modifies traffic flows that nftables inner-packet rules should have rejected, tampering with data in transit across the affected host.
- Firewall policy integrity is undermined broadly: any nftables rule relying on inner IPv6 transport-header inspection is rendered ineffective for the duration the bug is present.
How HarborGuard Handles This
Available on HarborGuard: detection, triage, and rebuild coverage for CVE-2026-46244 across all connected environments. Images carrying an affected kernel version are flagged within minutes of feed ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate fixed kernel branch (6.6.142, 6.12.92, or 6.18.34), runs a regression test pass, and opens a pull request against affected workloads; for Critical-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled or compliance policy requires manual approval, the finding is surfaced in the team inbox with the CVSS 9.1 score and affected image list for engineer review. As a compensating control while a rebuild is pending, network-policy isolation can be applied to restrict inbound IPv6 traffic carrying extension headers to only trusted sources, reducing the reachable attack surface for this firewall-bypass path.
Fix available
- Linux / Linux< c161ad9157f5a0429b5ff94d9770faf3bf48d273 (from 3a07327d10a09379315c844c63f27941f5081e0a) · < 870d59e2cf218e7418491e26bad768cb16654582 (from 3a07327d10a09379315c844c63f27941f5081e0a) · < 689bbf48c1f45130086ae1c46ab83ea4c753c601 (from 3a07327d10a09379315c844c63f27941f5081e0a) · < d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce (from 3a07327d10a09379315c844c63f27941f5081e0a) · < b6a91f68ebfed9c38e0e9150f58a9b85da07181c (from 3a07327d10a09379315c844c63f27941f5081e0a)
- Linux / Linux6.2Fixed in 0, 6.6.142, 6.12.92, 6.18.34, 7.0.11, 7.1-rc5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N