How is CVE-2026-52999 exploited?

Network reachability (required): The vulnerable code path is reachable over the network; an attacker must be able to send TCP packets to the target system to trigger option parsing in nf_osf_match_one(). Authentication (not-required): No credentials or session token are needed; the attacker sends unauthenticated packets to reach the vulnerable netfilter hook. Victim interaction (not-required): No user action is required; exploitation is fully remote and passive from the victim's perspective. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special preconditions such as race conditions or knowledge of memory layout.

What is the impact of CVE-2026-52999?

A successful attacker reads arbitrary kernel memory contents, which may include cryptographic keys, session tokens, or other sensitive in-memory data. The out-of-bounds read can destabilize kernel state and crash the host system, taking down all containers and workloads running on that node. Because the affected component is in the netfilter path, any host with OS fingerprinting rules active and network exposure is within scope regardless of the containerized workloads it runs. Data read from kernel memory could be used to defeat address-space layout randomization, enabling follow-on exploitation of separate vulnerabilities.

Back to search

CRITICALCVE-2026-52999Published 2026-06-24Modified 2026-06-28CNA Linux

CVE-2026-52999: netfilter: nfnetlink_osf: fix out-of-bounds read on option matching

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix out-of-bounds read on option matching In nf_osf_match(), the nf_osf_hdr_ctx structure is initialized once and passed by reference to nf_osf_match_one() for each fingerprint checked. During TCP option parsing, nf_osf_match_one() advances the shared ctx->optp pointer. If a fingerprint perfectly matches, the function returns early without restoring ctx->optp to its initial state. If the user has configured NF_OSF_LOGLEVEL_ALL, the loop continues to the next fingerprint. However, because ctx->optp was not restored, the next call to nf_osf_match_one() starts parsing from the end of the options buffer. This causes subsequent matches to read garbage data and fail immediately, making it impossible to log more than one match or logging incorrect matches. Instead of using a shared ctx->optp pointer, pass the context as a constant pointer and use a local pointer (optp) for TCP option traversal. This makes nf_osf_match_one() strictly stateless from the caller's perspective, ensuring every fingerprint check starts at the correct option offset.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's netfilter subsystem, specifically in the nfnetlink_osf component responsible for OS fingerprinting via TCP option matching. The flaw is reachable over the network without any authentication, allowing a remote attacker to send crafted packets that trigger the buggy code path. Successful exploitation enables the attacker to read arbitrary kernel memory (confidentiality impact) and cause a denial of service by crashing the affected system (availability impact). Patched-image rebuilds at the fix commits are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-52999 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle an affected kernel or kernel modules.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.1 (Critical) and weighting that score against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild targeting the fix commits (0145548346c4a3, 1c136f2c44a591, 1e19a07291bb86, 21883587593d7c) becomes available on HarborGuard once upstream fixes are confirmed for a given image's kernel lineage. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is reachable over the network; an attacker must be able to send TCP packets to the target system to trigger option parsing in nf_osf_match_one().
AuthenticationNot required
No credentials or session token are needed; the attacker sends unauthenticated packets to reach the vulnerable netfilter hook.
Victim interactionNot required
No user action is required; exploitation is fully remote and passive from the victim's perspective.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special preconditions such as race conditions or knowledge of memory layout.

Blast Radius

A successful attacker reads arbitrary kernel memory contents, which may include cryptographic keys, session tokens, or other sensitive in-memory data.
The out-of-bounds read can destabilize kernel state and crash the host system, taking down all containers and workloads running on that node.
Because the affected component is in the netfilter path, any host with OS fingerprinting rules active and network exposure is within scope regardless of the containerized workloads it runs.
Data read from kernel memory could be used to defeat address-space layout randomization, enabling follow-on exploitation of separate vulnerabilities.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-52999 is active as of ingestion, matching images in customer registries and pipelines against the affected kernel version range. For environments running a kernel image older than the fix commits listed above, a patched-image rebuild is available once the upstream fix is confirmed for that image's lineage. Customers with auto-remediation enabled receive a rebuilt image, a regression test run, and a pull request opened against affected workloads; for high and critical severity issues the median time from CVE publication to merged patch PR is around 90 minutes in those environments. For environments where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with remediation guidance so teams can act manually. As a compensating control while a patch is being applied, consider restricting inbound TCP traffic to hosts with OS fingerprinting rules enabled using Kubernetes NetworkPolicy or host-level firewall rules to limit the pool of sources that can reach the netfilter hook.

See how HarborGuard automates this

Fix available

00145548346c4a30981a870a8ca00eac46ba27e851c136f2c44a5913646bac85303612fd0825197a01e19a07291bb8682c14c39a64725a3ae54ab8ccc21883587593d7c8bb519a79460a0b5bc5ffbdabd32e50f92c7cf3f4eba29622179a5fcdc2aebab414.204.215.10.2585.15.2096.1.1756.6.1416.12.916.18.337.0.107.170a3f31d25cf2ec9d4ddfa408120171ead955623edb78a142d2e5948e63647c0646aa7e7886935f0f5ca450087c3baf3651055e7a6de92600f827af3

Affected packages

Linux / Linux
< 0145548346c4a30981a870a8ca00eac46ba27e85 (from 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b) · < 1c136f2c44a5913646bac85303612fd0825197a0 (from 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b) · < 1e19a07291bb8682c14c39a64725a3ae54ab8ccc (from 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b) · < 32e50f92c7cf3f4eba29622179a5fcdc2aebab41 (from 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b) · < 70a3f31d25cf2ec9d4ddfa408120171ead955623 (from 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b) · < 21883587593d7c8bb519a79460a0b5bc5ffbdabd (from 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b)
Linux / Linux
5.0
Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available