CVE-2026-43452 Overview
CVE-2026-43452 is an out-of-bounds read vulnerability in the Linux kernel's netfilter subsystem, specifically in the x_tables option walkers. The flaw resides in the xt_tcpudp and xt_dccp modules, where option-walking loops can read one byte past the end of the option buffer. When the final byte of the options area contains a non-single-byte option kind, the walker dereferences op[i + 1] without confirming that index i + 1 falls within the option length.
Critical Impact
A network-adjacent attacker can trigger out-of-bounds reads in kernel memory, potentially leading to kernel panics, denial of service, or limited information disclosure from adjacent memory.
Affected Products
- Linux kernel netfilter subsystem (xt_tcpudp module)
- Linux kernel netfilter subsystem (xt_dccp module)
- Multiple stable Linux kernel branches receiving backported fixes
Discovery Timeline
- 2026-05-08 - CVE-2026-43452 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43452
Vulnerability Analysis
The vulnerability exists in the option-walking logic used by netfilter match modules xt_tcpudp and xt_dccp. These walkers iterate through the TCP, UDP, or DCCP options area, advancing the index using the construct i += op[i + 1] ? : 1. The expression reads the length byte at op[i + 1] to determine the next option's offset.
When the loop reaches the final byte of the option area and that byte represents a multi-byte option kind, the walker reads op[i + 1] even though index i + 1 lies beyond the allocated option region. The result is a one-byte out-of-bounds read of kernel memory.
The fix introduces an explicit i == optlen - 1 boundary check before dereferencing op[i + 1], ensuring the walker stops at the last valid index instead of speculatively reading the length of a non-existent option.
Root Cause
The root cause is missing boundary validation in the option-parsing loop. The original code optimistically assumes that any non-zero option kind has an accompanying length byte at i + 1. This assumption fails when the option kind appears at the absolute end of the options buffer, producing an out-of-bounds read [CWE-125].
Attack Vector
An attacker can craft network packets containing TCP, UDP, or DCCP options whose final byte is a non-single-byte option kind without a trailing length byte. When such packets traverse a system using iptables or ip6tables rules that invoke xt_tcpudp or xt_dccp matching, the kernel walker reads beyond the option buffer. Repeated triggering can produce kernel instability, while uninitialized or adjacent memory contents may influence match decisions.
No verified public exploit code is available. The vulnerability mechanism is described in the upstream commits referenced in the Linux kernel stable tree.
Detection Methods for CVE-2026-43452
Indicators of Compromise
- Unexpected kernel oops or panic entries in dmesg referencing xt_tcpudp or xt_dccp functions
- KASAN (Kernel Address Sanitizer) reports flagging out-of-bounds reads in netfilter option walkers
- Inbound traffic containing malformed TCP, UDP, or DCCP option payloads terminating in non-single-byte option kinds
Detection Strategies
- Enable KASAN in test environments and replay suspicious packet captures to surface the out-of-bounds read
- Audit running kernel versions against the fixed commits listed in the stable kernel git tree to identify unpatched hosts
- Inspect netfilter rulesets for use of the tcp, udp, or dccp match extensions, which load the vulnerable modules
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on netfilter-related crashes
- Monitor network telemetry for malformed TCP/UDP/DCCP option fields, particularly truncated option sequences
- Track host availability metrics for Linux gateways and firewalls running stateful packet inspection rules
How to Mitigate CVE-2026-43452
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the official commits and reboot affected hosts
- Inventory all Linux systems performing packet filtering with iptables, nftables compatibility layers, or ip6tables and prioritize patching
- Verify backported fixes are present in distribution kernels before deploying to production
Patch Information
The vulnerability is resolved across multiple Linux stable branches via the following commits: 5b18b8b, 9b94f0e, ae1e126, bc18551, c2a4453, c39f84e, cfe7702, and d048003. Each patch adds an i == optlen - 1 guard before dereferencing the option length byte in the affected walkers.
Workarounds
- Remove or replace iptables rules that rely on the tcp, udp, or dccp match extensions where feasible
- Drop malformed packets at upstream network devices using sanity checks on TCP, UDP, and DCCP option lengths
- Unload the xt_dccp kernel module on hosts that do not require DCCP filtering using modprobe -r xt_dccp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
