CVE-2026-43190 Overview
CVE-2026-43190 is an out-of-bounds read vulnerability in the Linux kernel's netfilter subsystem, specifically within the xt_tcpmss match module. The flaw resides in net/netfilter/xt_tcpmss.c (lines 53-68), where the TCP option parser reads op[i+1] without first validating the remaining option length. When the last byte of the option field is not End-of-List (0) or No-Operation (1), the parser indexes past the optlen boundary. This results in a read beyond the stack buffer _opt or into adjacent payload memory. The Linux kernel maintainers resolved the issue by adding a length check before reading optlen.
Critical Impact
An out-of-bounds read in kernel-space TCP option parsing can leak adjacent kernel memory contents and potentially trigger denial-of-service conditions on systems applying xt_tcpmss rules to attacker-controlled traffic.
Affected Products
- Linux kernel versions containing the unpatched net/netfilter/xt_tcpmss.c parser
- Distributions shipping the xt_tcpmss netfilter match module
- Systems using iptables or nftables rules that invoke TCP MSS matching
Discovery Timeline
- 2026-05-06 - CVE-2026-43190 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43190
Vulnerability Analysis
The xt_tcpmss module inspects TCP options to match packets carrying a specific Maximum Segment Size (MSS) value. The parser iterates over the TCP option field, reading the option kind at op[i] and the option length at op[i+1]. The original implementation failed to verify that i+1 remained within the bounds defined by optlen before dereferencing op[i+1]. When a crafted TCP segment terminates the option field with a non-EOL and non-NOP byte, the loop reads one byte past the validated option region. The read may target the remainder of the stack buffer _opt or, depending on layout, payload bytes following it. This is classified as an out-of-bounds read [CWE-125].
Root Cause
The defect is a missing boundary check. The parser assumed any option byte other than EOL or NOP is followed by a valid length byte. The fix introduces an explicit i + 1 < optlen check before accessing op[i+1], ensuring the parser never reads beyond the option region copied into _opt.
Attack Vector
Exploitation requires an attacker to send a TCP segment whose option field ends with a single non-trivial option byte to a host evaluating xt_tcpmss rules. The malformed option triggers the kernel parser to read one byte past the buffer. The vulnerability manifests during in-kernel packet evaluation. See the upstream patches for the exact parser changes: Linux Kernel Commit f895191 and Linux Kernel Commit 07a9b32.
// No verified proof-of-concept code is available.
// Refer to the upstream commits for the corrected parser logic
// that adds the i + 1 < optlen bounds check before reading op[i+1].
Detection Methods for CVE-2026-43190
Indicators of Compromise
- Kernel oops, KASAN reports, or slab-out-of-bounds warnings referencing tcpmss_mt or xt_tcpmss in dmesg
- Unexpected netfilter-related crashes on hosts using TCP MSS matching rules
- Anomalous inbound TCP segments containing truncated or malformed option fields directed at filtering hosts
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) in test environments to surface out-of-bounds reads in the netfilter path
- Audit running kernel versions against the patched commits listed in the references to confirm whether the fix is applied
- Inspect iptables and nftables rule sets for active use of the tcpmss match, which scopes exposure
Monitoring Recommendations
- Forward kernel logs to a centralized log platform and alert on xt_tcpmss, KASAN, or BUG: strings
- Monitor host stability metrics on firewalls and routers that apply MSS-clamping or MSS-matching rules
- Capture and review TCP option fields in flow telemetry where feasible to identify malformed option sequences
How to Mitigate CVE-2026-43190
Immediate Actions Required
- Apply the upstream Linux kernel patches and rebuild or update to a fixed kernel package from your distribution
- Identify hosts with active xt_tcpmss rules and prioritize them for patching, particularly internet-facing firewalls
- Restart affected systems after kernel update to load the corrected xt_tcpmss module
Patch Information
The vulnerability is fixed across multiple stable branches. Reference the corresponding upstream commits: Linux Kernel Commit 5e13d0a, Linux Kernel Commit 735ee85, Linux Kernel Commit 8b300f7, Linux Kernel Commit cd5beda, Linux Kernel Commit eaedc0b, and Linux Kernel Commit f6c412d. Consume the fix through your distribution's security update channel.
Workarounds
- Remove tcpmss match rules from iptables and nftables configurations on hosts that cannot be patched immediately
- Unload the xt_tcpmss module where it is not required: rmmod xt_tcpmss and blacklist it in /etc/modprobe.d/
- Apply upstream traffic filtering to drop TCP segments with malformed option fields before they reach vulnerable hosts
# Verify whether xt_tcpmss is loaded and in use
lsmod | grep xt_tcpmss
iptables-save | grep -i tcpmss
nft list ruleset | grep -i tcpmss
# Temporarily unload the module if no rules require it
sudo rmmod xt_tcpmss
# Persistently prevent loading until patched
echo 'blacklist xt_tcpmss' | sudo tee /etc/modprobe.d/disable-xt_tcpmss.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
