CVE-2026-46244

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft inner: Fix IPv6 inner thoff desync

In nft inner parse l2l3(), when processing inner IPv6 packets, ipv6 find hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof( ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.

For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6 find hdr()'s result. Removing the incorrect overwrite ensures that ipv6 find hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.