CVE-2026-23397: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-23397 Overview

A vulnerability has been identified in the Linux kernel's nfnetlink_osf subsystem where insufficient validation of individual option length fields in OS fingerprints can lead to a null pointer dereference and out-of-bounds read conditions. The nfnl_osf_add_callback() function validates opt_num bounds and string NUL-termination but fails to check individual option length fields, allowing malformed fingerprints to trigger memory safety violations during packet matching operations.

Critical Impact
This vulnerability can cause kernel panics via null pointer dereference when processing packets with no TCP options, and potential information disclosure through out-of-bounds reads when handling malformed MSS options with insufficient length values.

Affected Products

Linux kernel (nfnetlink_osf module)
Linux kernel (netfilter subsystem)
Systems using iptables with OS fingerprinting (xt_osf)

Discovery Timeline

2026-03-26 - CVE CVE-2026-23397 published to NVD
2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-23397

Vulnerability Analysis

The vulnerability exists in the Linux kernel's netfilter OS fingerprinting module (nfnetlink_osf). When fingerprints are added via nfnl_osf_add_callback(), the function performs validation on opt_num bounds and ensures string NUL-termination, but critically neglects to validate individual option length fields within the fingerprint data structure.

This oversight creates two distinct exploitation paths:

Null Pointer Dereference: A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero. This matches packets with no TCP options where ctx->optp is NULL, resulting in a general protection fault when the kernel attempts to dereference the null pointer.
Out-of-Bounds Read: An MSS option (kind=2) with length less than 4 bytes triggers out-of-bounds memory reads. The nf_osf_match_one() function unconditionally accesses optp[2] and optp[3] for MSS value extraction, assuming the standard 4-byte MSS option format per RFC 9293 section 3.2.

Root Cause

The root cause is missing input validation in nfnl_osf_add_callback() for individual option length fields within fingerprint entries. The function trusts that option lengths are valid without enforcing that:

No option has a zero length value
MSS options (kind=2) have a minimum length of 4 bytes

This allows malformed fingerprints to be added to the kernel's fingerprint database, which are then used in the packet matching hot path where invalid lengths cause memory safety violations.

Attack Vector

An attacker with sufficient privileges to add OS fingerprints via netlink could inject a malformed fingerprint with zero-length options or undersized MSS options. When network packets are subsequently processed against this fingerprint database, the kernel encounters:

A null pointer dereference when matching packets without TCP options against a fingerprint with zero-length options
Out-of-bounds reads when matching packets with TCP options against fingerprints containing MSS options with length < 4

The kernel crash manifests with the following call trace:

Oops: general protection fault
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
  nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
  xt_osf_match_packet (net/netfilter/xt_osf.c:32)
  ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
  nf_hook_slow (net/netfilter/core.c:623)
  ip_local_deliver (net/ipv4/ip_input.c:262)
  ip_rcv (net/ipv4/ip_input.c:573)

Detection Methods for CVE-2026-23397

Indicators of Compromise

Kernel panic or crash logs containing references to nf_osf_match_one or nf_osf_match
KASAN reports indicating null pointer dereference in net/netfilter/nfnetlink_osf.c
System instability or unexpected reboots on systems using iptables OS fingerprinting
Kernel log entries showing general protection faults in netfilter subsystem

Detection Strategies

Monitor kernel logs for KASAN reports or general protection faults referencing the nfnetlink_osf module
Implement audit logging for netlink operations that add OS fingerprints via nfnl_osf_add_callback
Deploy kernel crash dump analysis to identify exploitation attempts targeting this vulnerability
Review iptables rules for use of the osf match module which indicates potential exposure

Monitoring Recommendations

Enable KASAN (Kernel Address Sanitizer) on development and testing systems to detect memory safety violations
Configure kdump or similar crash dump mechanisms to capture kernel state upon panic for forensic analysis
Monitor for repeated system crashes or reboots that may indicate active exploitation attempts
Implement network traffic monitoring for unusual TCP option patterns on affected systems

How to Mitigate CVE-2026-23397

Immediate Actions Required

Apply the latest kernel security patches from your distribution vendor
If patching is not immediately possible, consider disabling or removing iptables rules using the osf match module
Restrict access to netlink operations that can add OS fingerprints to trusted users only
Review and validate any existing OS fingerprint configurations for malformed entries

Patch Information

The Linux kernel maintainers have released patches that reject fingerprints at add time where any option has zero length, or where an MSS option has length less than 4. Multiple patch commits are available for different kernel branches:

Workarounds

Disable OS fingerprinting functionality in iptables if not required for operations
Remove iptables rules that use the -m osf match module
Restrict netlink socket access via SELinux or AppArmor policies to prevent unauthorized fingerprint additions
Implement network segmentation to limit exposure of affected systems

bash

# Check for iptables rules using OS fingerprinting
iptables -L -n -v | grep -i osf

# Remove osf module if not needed
modprobe -r xt_osf
modprobe -r nfnetlink_osf

# Block module loading (temporary workaround)
echo "install xt_osf /bin/false" >> /etc/modprobe.d/blacklist-osf.conf
echo "install nfnetlink_osf /bin/false" >> /etc/modprobe.d/blacklist-osf.conf

CVE-2026-23397 Overview

Critical Impact
This vulnerability can cause kernel panics via null pointer dereference when processing packets with no TCP options, and potential information disclosure through out-of-bounds reads when handling malformed MSS options with insufficient length values.

Affected Products

Linux kernel (nfnetlink_osf module)
Linux kernel (netfilter subsystem)
Systems using iptables with OS fingerprinting (xt_osf)

Discovery Timeline

2026-03-26 - CVE CVE-2026-23397 published to NVD
2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-23397

Vulnerability Analysis

This oversight creates two distinct exploitation paths:

Null Pointer Dereference: A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero. This matches packets with no TCP options where ctx->optp is NULL, resulting in a general protection fault when the kernel attempts to dereference the null pointer.
Out-of-Bounds Read: An MSS option (kind=2) with length less than 4 bytes triggers out-of-bounds memory reads. The nf_osf_match_one() function unconditionally accesses optp[2] and optp[3] for MSS value extraction, assuming the standard 4-byte MSS option format per RFC 9293 section 3.2.

Root Cause

No option has a zero length value
MSS options (kind=2) have a minimum length of 4 bytes

This allows malformed fingerprints to be added to the kernel's fingerprint database, which are then used in the packet matching hot path where invalid lengths cause memory safety violations.

Attack Vector

A null pointer dereference when matching packets without TCP options against a fingerprint with zero-length options
Out-of-bounds reads when matching packets with TCP options against fingerprints containing MSS options with length < 4

The kernel crash manifests with the following call trace:

Oops: general protection fault
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
  nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
  xt_osf_match_packet (net/netfilter/xt_osf.c:32)
  ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
  nf_hook_slow (net/netfilter/core.c:623)
  ip_local_deliver (net/ipv4/ip_input.c:262)
  ip_rcv (net/ipv4/ip_input.c:573)

Detection Methods for CVE-2026-23397

Indicators of Compromise

Kernel panic or crash logs containing references to nf_osf_match_one or nf_osf_match
KASAN reports indicating null pointer dereference in net/netfilter/nfnetlink_osf.c
System instability or unexpected reboots on systems using iptables OS fingerprinting
Kernel log entries showing general protection faults in netfilter subsystem

Detection Strategies

Monitor kernel logs for KASAN reports or general protection faults referencing the nfnetlink_osf module
Implement audit logging for netlink operations that add OS fingerprints via nfnl_osf_add_callback
Deploy kernel crash dump analysis to identify exploitation attempts targeting this vulnerability
Review iptables rules for use of the osf match module which indicates potential exposure

Monitoring Recommendations

Enable KASAN (Kernel Address Sanitizer) on development and testing systems to detect memory safety violations
Configure kdump or similar crash dump mechanisms to capture kernel state upon panic for forensic analysis
Monitor for repeated system crashes or reboots that may indicate active exploitation attempts
Implement network traffic monitoring for unusual TCP option patterns on affected systems

How to Mitigate CVE-2026-23397

Immediate Actions Required

Apply the latest kernel security patches from your distribution vendor
If patching is not immediately possible, consider disabling or removing iptables rules using the osf match module
Restrict access to netlink operations that can add OS fingerprints to trusted users only
Review and validate any existing OS fingerprint configurations for malformed entries

Patch Information

Workarounds

Disable OS fingerprinting functionality in iptables if not required for operations
Remove iptables rules that use the -m osf match module
Restrict netlink socket access via SELinux or AppArmor policies to prevent unauthorized fingerprint additions
Implement network segmentation to limit exposure of affected systems

bash

# Check for iptables rules using OS fingerprinting
iptables -L -n -v | grep -i osf

# Remove osf module if not needed
modprobe -r xt_osf
modprobe -r nfnetlink_osf

# Block module loading (temporary workaround)
echo "install xt_osf /bin/false" >> /etc/modprobe.d/blacklist-osf.conf
echo "install nfnetlink_osf /bin/false" >> /etc/modprobe.d/blacklist-osf.conf

CVE-2026-23397: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-23397 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23397

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23397

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23397

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-23397: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-23397 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23397

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23397

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23397

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform