From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 444743F166E for ; Fri, 8 May 2026 14:27:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250458; cv=none; b=kHZjwDKfl6WTaEH6FoC6WMQJ+SuGtvfqWk0nD31jVIjoJPGUIU03OW+oE36rwNa5vti5BXs2kvfwKAPSYe3eiQlHVM5jRKHol9ETzmgopQdAvVKFqZxTtsLMu1PlfQ8z/gyatuyXJk2QCEUEA4LgBdYbBCofARlNx5lkD6VT/gw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250458; c=relaxed/simple; bh=XTj8wjs3Y/K7GIOvF/v9uM/y+zpVW4tesRH7ty4AGco=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=emu/lRJebgoucWbtOr54zkcyGl4Y1dTJ/aHzxkPzDZm+MNGTti8ek8Q0kgu/6PsTvEHWrfV0I6SjikcrbBWSBnzwCuDsIiCH9ujouqen5GB14lsRqXrTVX9tYtU5WqtCg4A4P80OJOcVxrTGjpw6Mgt/erL3MT3Jsb9OYfzmbHk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ht0l4Qpk; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ht0l4Qpk" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D221BC2BCB0; Fri, 8 May 2026 14:27:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250458; bh=XTj8wjs3Y/K7GIOvF/v9uM/y+zpVW4tesRH7ty4AGco=; h=From:To:Cc:Subject:Date:Reply-To:From; b=ht0l4QpktxvtUjzTqCqI/UZ1icRUy0h5e4SEQzcswbnhgHpvEML19onNduvYhBxpI QREfN5ObsgiIe0q89XJWAON+HBtnAO0B9h2vhWJ8urvAy7XkLUBixJmVyLaShbMW8v NDnCI6hi9sdXJeZv5eBPshZUDmuGjeaNXGbEGsKk= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43452: netfilter: x_tables: guard option walkers against 1-byte tail reads Date: Fri, 8 May 2026 16:23:01 +0200 Message-ID: <2026050858-CVE-2026-43452-9210@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3471; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=iblAS3+Giu+JBW8ZbjslGtiBEuQD+gUachmnR6PATdQ=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P7bd63j9ws9n9v2rnEURKab7DEQ+xPqdfuorecfhd /2UCwGPOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BeAiIQzzPYIkJkScTVA4WP/S 3vP+2mnSPFOcGeYnv30wUe3u5c2aW5LLlcW07Wf/KtYAAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. The Linux kernel CVE team has assigned CVE-2026-43452 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 5.10.253 with commit c2a445367a496a3c25dbc940c10c8bd1cfd4c14a Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 5.15.203 with commit ae1e1267650638136b84c23f2b31250f0ccb6823 Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.1.167 with commit c39f84e4be1be63fc60ca7141ea7b76edcea5907 Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.6.130 with commit 9b94f0e42ed248eb31929da84ed9f5310d7ff540 Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.12.78 with commit 5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.18.19 with commit bc18551c6169eac5ed813778d3e3e484002dbbe5 Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 6.19.9 with commit d04800323336eebf441d153f43234eac9b833d36 Issue introduced in 2.6.16 with commit 2e4e6a17af35be359cc8f1c924f8f198fbd478cc and fixed in 7.0 with commit cfe770220ac2dbd3e104c6b45094037455da81d4 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43452 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/netfilter/xt_dccp.c net/netfilter/xt_tcpudp.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/c2a445367a496a3c25dbc940c10c8bd1cfd4c14a https://git.kernel.org/stable/c/ae1e1267650638136b84c23f2b31250f0ccb6823 https://git.kernel.org/stable/c/c39f84e4be1be63fc60ca7141ea7b76edcea5907 https://git.kernel.org/stable/c/9b94f0e42ed248eb31929da84ed9f5310d7ff540 https://git.kernel.org/stable/c/5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c https://git.kernel.org/stable/c/bc18551c6169eac5ed813778d3e3e484002dbbe5 https://git.kernel.org/stable/c/d04800323336eebf441d153f43234eac9b833d36 https://git.kernel.org/stable/c/cfe770220ac2dbd3e104c6b45094037455da81d4