CVE-2026-46244 Overview
CVE-2026-46244 is a Linux kernel vulnerability in the netfilter subsystem, specifically within the nft_inner module responsible for inspecting inner packet headers of tunneled traffic. The flaw causes a desynchronization between the inner transport header offset (inner_thoff) and the layer-4 protocol value (l4proto) when parsing inner IPv6 packets that include extension headers. This mismatch enables transport header forgery and can result in firewall rule bypass. The issue affects stable Linux kernel releases beginning with version 6.2.
Critical Impact
Attackers can craft IPv6 packets with extension headers inside tunneled traffic to bypass nftables inner-header matching rules, defeating firewall policies that rely on transport-layer inspection.
Affected Products
- Linux kernel stable releases from version 6.2 onward
- Distributions shipping affected kernels with nftables and nft_inner enabled
- Systems using nftables rules that match against inner headers of tunneled IPv6 traffic
Discovery Timeline
- 2026-06-03 - CVE-2026-46244 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46244
Vulnerability Analysis
The vulnerability resides in nft_inner_parse_l2l3(), which parses layer-2 and layer-3 headers of inner packets during nftables evaluation of tunneled traffic. When the inner packet is IPv6, the function calls ipv6_find_hdr() to walk extension headers and compute the correct transport header offset. The returned offset is then immediately overwritten by nhoff + sizeof(_ip6h), a fixed 40-byte advance representing only the IPv6 base header.
This overwrite produces a state where inner_thoff points to the start of extension headers rather than the actual transport header, while l4proto is correctly resolved to values such as IPPROTO_TCP. Rules that match on inner transport fields will read attacker-controlled bytes inside extension headers instead of genuine TCP, UDP, or ICMPv6 fields.
Root Cause
The root cause is an incorrect assignment that discards the result of ipv6_find_hdr(). The non-inner IPv6 parsing path correctly preserves the value returned by ipv6_find_hdr(), but the inner-packet code path overwrites it with a static offset that ignores IPv6 extension headers such as Hop-by-Hop, Routing, Fragment, and Destination Options.
Attack Vector
An attacker sends tunneled traffic, for example VXLAN or Geneve, carrying an inner IPv6 packet that includes one or more extension headers before the transport header. nftables rules evaluating inner transport fields read bytes from the extension header region rather than the real TCP or UDP header. Attackers can craft those bytes so that firewall match expressions evaluate against forged port or flag values, bypassing intended filtering. The vulnerability mechanism is documented in the upstream fix commits referenced below; see the Kernel Git Commit 689bbf48 and Kernel Git Commit d0f98a36 for the upstream patches.
Detection Methods for CVE-2026-46244
Indicators of Compromise
- Tunneled traffic (VXLAN, Geneve, GRE) carrying inner IPv6 packets with non-empty extension header chains arriving at hosts using nft_inner rules
- nftables counters showing unexpected allows for flows that should match transport-layer drop rules
- Inner IPv6 packets where the byte immediately after the base header is a valid extension header next-header value (0, 43, 44, 60) followed by data shaped like transport header fields
Detection Strategies
- Inspect inner IPv6 packets within tunneled flows and compare the extension header chain length against what nftables inner matches evaluate
- Audit nftables rulesets that use inner expressions against IPv6 to identify rules vulnerable to bypass
- Correlate kernel version inventory (>= 6.2 without the fix) against hosts processing tunneled IPv6 traffic
Monitoring Recommendations
- Enable verbose logging on nftables rules that match inner transport-layer fields and review for anomalies
- Monitor for traffic patterns where inner IPv6 packets consistently carry extension headers, which is uncommon in benign workloads
- Track kernel package versions across fleet inventory and flag hosts running affected stable branches
How to Mitigate CVE-2026-46244
Immediate Actions Required
- Identify hosts running Linux kernel 6.2 or later that use nftables inner matching against tunneled IPv6 traffic
- Apply the upstream fix that removes the incorrect overwrite of inner_thoff in nft_inner_parse_l2l3()
- Where patching is delayed, restrict or remove nftables inner rules that depend on inner IPv6 transport-layer matching
Patch Information
The fix removes the assignment that overwrites the value computed by ipv6_find_hdr(), preserving the correctly traversed transport header offset. The patch is available in upstream stable kernel commits: Kernel Git Commit 689bbf48, Kernel Git Commit 870d59e2, Kernel Git Commit b6a91f68, Kernel Git Commit c161ad91, and Kernel Git Commit d0f98a36. Rebuild and deploy kernels containing these commits, then reboot affected systems.
Workarounds
- Disable nftables rules that rely on inner matching of IPv6 transport headers until the patched kernel is deployed
- Drop or filter tunneled IPv6 packets containing extension headers at upstream network devices when feasible
- Enforce outer-header filtering policies that block untrusted tunnel endpoints, reducing exposure to crafted inner payloads
# Example: list nftables rules using inner expressions to audit exposure
sudo nft -a list ruleset | grep -nE 'inner|ip6'
# Example: verify running kernel against fixed versions
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
