CVE-2026-43452: netfilter: x_tables: guard option walkers against 1-byte tail reads

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: guard option walkers against 1-byte tail reads

When the last byte of options is a non-single-byte option kind, walkers
that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end
of the option area.

Add an explicit i == optlen - 1 check before dereferencing op[i + 1]
in xt_tcpudp and xt_dccp option walkers.

The Linux kernel CVE team has assigned CVE-2026-43452 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 5.10.253 with commit c2a445367a496a3c25dbc940c10c8bd1cfd4c14a
	Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 5.15.203 with commit ae1e1267650638136b84c23f2b31250f0ccb6823
	Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.1.167 with commit c39f84e4be1be63fc60ca7141ea7b76edcea5907
	Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.6.130 with commit 9b94f0e42ed248eb31929da84ed9f5310d7ff540
	Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.12.78 with commit 5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c
	Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.18.19 with commit bc18551c6169eac5ed813778d3e3e484002dbbe5
	Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.19.9 with commit d04800323336eebf441d153f43234eac9b833d36
	Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 7.0 with commit cfe770220ac2dbd3e104c6b45094037455da81d4

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43452
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/netfilter/xt_dccp.c
	net/netfilter/xt_tcpudp.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c2a445367a496a3c25dbc940c10c8bd1cfd4c14a
	https://git.kernel.org/stable/c/ae1e1267650638136b84c23f2b31250f0ccb6823
	https://git.kernel.org/stable/c/c39f84e4be1be63fc60ca7141ea7b76edcea5907
	https://git.kernel.org/stable/c/9b94f0e42ed248eb31929da84ed9f5310d7ff540
	https://git.kernel.org/stable/c/5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c
	https://git.kernel.org/stable/c/bc18551c6169eac5ed813778d3e3e484002dbbe5
	https://git.kernel.org/stable/c/d04800323336eebf441d153f43234eac9b833d36
	https://git.kernel.org/stable/c/cfe770220ac2dbd3e104c6b45094037455da81d4