CVE-2026-52920 Overview
CVE-2026-52920 is a Linux kernel vulnerability in the netfilter subsystem, specifically within the xt_policy match module. The flaw resides in the match_policy_in() function, which incorrectly walks IPsec security path (sec_path) entries from the last transform to the first when evaluating strict mode inbound policy matching. Strict matching requires consuming the info->pol[] array in the same forward order as the rule layout. The mismatch causes multi-element inbound policy rules to be matched inconsistently against IPsec-protected traffic.
Critical Impact
Inbound IPsec policy rules using strict mode with multiple transform elements may match incorrectly, potentially allowing traffic that should be blocked or blocking traffic that should be allowed.
Affected Products
- Linux kernel (mainline) — netfilter subsystem, xt_policy module
- Linux stable branches receiving the eight backported fixes listed in the kernel.org commits
- Distributions shipping unpatched kernels with the xt_policy netfilter match module enabled
Discovery Timeline
- 2026-06-24 - CVE-2026-52920 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-52920
Vulnerability Analysis
The xt_policy netfilter match extension lets administrators write iptables rules that match packets based on their IPsec transformation history. In strict mode, each entry in the rule's policy array (info->pol[]) must align positionally with the IPsec transforms recorded in the packet's sec_path.
The defect is one of iteration order. match_policy_in() traverses sec_path entries from the last transform to the first, but it indexes info->pol[] as if traversal were forward. The result is a positional mismatch between the rule element being evaluated and the transform being inspected.
For single-element rules, the order is immaterial and the match still functions correctly. For multi-element strict rules, the wrong policy element is compared against each transform, producing inconsistent and incorrect match decisions. This is a logic error in input validation of network state [CWE-697 class behavior].
Root Cause
The root cause is an index mismatch in match_policy_in(). The function iterates sec_path entries in reverse but does not derive the corresponding info->pol[] index from the number of transforms already consumed. The upstream fix computes the strict-match policy position based on transforms consumed, restoring positional alignment with the rule layout.
Attack Vector
Exploitation requires network-adjacent IPsec traffic that triggers xt_policy strict-mode evaluation on a system with multi-element inbound policy rules. The vulnerability is a correctness defect rather than a memory safety issue. The practical impact is policy enforcement bypass or unintended traffic drops, depending on the rule layout and transform sequence presented by the inbound packet. There is no known remote code execution path, and no public proof-of-concept exploit is referenced in the kernel commits.
No verified exploit code is available for this issue. See the upstream commits listed under references for the patch logic.
Detection Methods for CVE-2026-52920
Indicators of Compromise
- Unexpected IPsec traffic passing or being dropped on hosts using iptables rules with -m policy --dir in --strict and two or more --proto/--mode/--tunnel-src/--tunnel-dst elements
- Counter discrepancies on netfilter rules referencing xt_policy strict inbound matching
- Asymmetric IPsec session behavior where only single-transform flows match policy as intended
Detection Strategies
- Audit iptables-save and nft list ruleset output for any rule using -m policy --dir in --strict with multiple --next elements, and validate match behavior against known-good IPsec test traffic
- Compare kernel package versions against the stable trees containing the fix commits (392cc1d8408b, 4b2b4d7d4e20, 82664d0f1ba2, 938867e870fb, b130a6eefa02, eb323f7b82d2, f98b7f85e04b, fc1c518bb1f0)
- Generate synthetic inbound IPsec flows traversing nested transforms and verify rule counters increment on the expected rule only
Monitoring Recommendations
- Collect netfilter rule hit counters at regular intervals and alert on deviations from baseline for policy-matching rules
- Forward kernel and IPsec (xfrm) logs to a centralized analytics platform for cross-host correlation of IPsec policy decisions
- Track kernel version inventory across the fleet to confirm patched builds are deployed wherever xt_policy strict mode is in use
How to Mitigate CVE-2026-52920
Immediate Actions Required
- Inventory all Linux hosts that load the xt_policy netfilter module and use strict inbound matching with multi-element rules
- Apply the latest stable kernel update from your distribution vendor that includes the upstream fix commits referenced below
- Where patching is delayed, rewrite multi-element strict inbound xt_policy rules as multiple single-element rules to avoid the affected code path
Patch Information
The fix is delivered through eight upstream commits across mainline and stable branches:
- Kernel Commit 392cc1d8408
- Kernel Commit 4b2b4d7d4e20
- Kernel Commit 82664d0f1ba2
- Kernel Commit 938867e870fb
- Kernel Commit b130a6eefa02
- Kernel Commit eb323f7b82d2
- Kernel Commit f98b7f85e04b
- Kernel Commit fc1c518bb1f0
The patch derives the strict-match policy index from the count of transforms already consumed, aligning evaluation with the rule layout.
Workarounds
- Replace multi-element strict inbound -m policy rules with a sequence of single-element rules until the kernel is patched
- Avoid --strict mode on inbound rules when multiple --next elements are required and rely on tightly scoped permissive matches instead
- Restrict which administrators can modify netfilter policy on affected hosts to reduce the chance of introducing vulnerable rule layouts
# Verify the running kernel and reload after upgrade
uname -r
sudo apt-get update && sudo apt-get install --only-upgrade linux-image-generic
sudo reboot
# Audit existing xt_policy strict inbound rules
sudo iptables-save | grep -E -- '-m policy.*--dir in.*--strict'
sudo nft list ruleset | grep -i 'ipsec in'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

