CVE-2026-23397

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw within the nfnetlink osf module related to the validation of option lengths in network packet fingerprints. Specifically, the nfnl osf add callback() function does not adequately check the length of individual options, potentially leading to issues when processing packets. A zero-length option can cause the nf osf match one() function to enter a loop even when no TCP options are present, resulting in a general protection fault. Additionally, an MSS option (kind=2) with a length less than 4 can trigger out-of-bounds reads when accessing option data within the same function. The issue arises because the code uses a "< 4" check instead of a "!=" check for MSS option lengths, despite RFC 9293 specifying that MSS options are always 4 bytes long. The vulnerability can be exploited by crafting packets with invalid option lengths. The vulnerable function is nf osf match one().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.