Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52999

CVE-2026-52999: Linux Kernel Use-After-Free Vulnerability

CVE-2026-52999 is a use-after-free vulnerability in the Linux kernel's netfilter nfnetlink_osf component that causes out-of-bounds reads during TCP option matching. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-52999 Overview

CVE-2026-52999 is an out-of-bounds read vulnerability in the Linux kernel's netfilter subsystem, specifically within the nfnetlink_osf (Operating System Fingerprint) module. The flaw resides in the nf_osf_match() function, which shares a nf_osf_hdr_ctx structure by reference with nf_osf_match_one() across multiple fingerprint checks. When TCP option parsing advances the shared ctx->optp pointer and a fingerprint matches without restoring state, subsequent calls read beyond the options buffer. Systems configured with NF_OSF_LOGLEVEL_ALL are affected, producing garbage reads and incorrect log matches.

Critical Impact

The vulnerability allows kernel memory to be read out-of-bounds during TCP option parsing, causing fingerprint match failures, incorrect logging, and potential information leakage from adjacent kernel memory.

Affected Products

  • Linux kernel netfilter subsystem (nfnetlink_osf module)
  • Multiple stable kernel branches addressed via the kernel.org stable tree
  • Systems with OS fingerprint matching configured using NF_OSF_LOGLEVEL_ALL

Discovery Timeline

  • 2026-06-24 - CVE-2026-52999 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-52999

Vulnerability Analysis

The vulnerability lives in nf_osf_match() in the Linux kernel netfilter nfnetlink_osf module. The function initializes a single nf_osf_hdr_ctx structure and passes it by reference into nf_osf_match_one() for every fingerprint comparison. During TCP option parsing, nf_osf_match_one() advances the shared ctx->optp pointer to walk through TCP header options.

When a fingerprint matches exactly, the function returns early and never restores ctx->optp to its starting position. If the administrator configured NF_OSF_LOGLEVEL_ALL, the outer loop proceeds to evaluate additional fingerprints with the now-corrupted context. Each subsequent nf_osf_match_one() call begins parsing from beyond the end of the TCP options buffer, dereferencing memory outside the intended bounds.

The resulting out-of-bounds reads cause two visible effects. Fingerprint matches after the first hit fail because the parser reads garbage, and the kernel may emit incorrect match log entries. The patched code passes the context as a constant pointer and uses a local pointer for TCP option traversal, making nf_osf_match_one() stateless from the caller's perspective.

Root Cause

The root cause is improper state management of a shared pointer across iterations. nf_osf_match_one() mutates ctx->optp as a side effect, while the caller assumes the structure is reusable. No reset or save/restore logic guards the pointer between fingerprint evaluations.

Attack Vector

Exploitation requires the netfilter OS fingerprinting feature to be enabled with NF_OSF_LOGLEVEL_ALL. A remote attacker sending crafted TCP packets with specific options can trigger the matching path. The impact is confined to out-of-bounds kernel reads, which can leak adjacent kernel memory into log output or corrupt matching decisions. See the upstream kernel commit for the corrected traversal logic.

// No verified exploit code is available. The vulnerability mechanism is
// described in prose above. Refer to the kernel.org stable commits for
// the exact source-level changes to nf_osf_match() and nf_osf_match_one().

Detection Methods for CVE-2026-52999

Indicators of Compromise

  • Unexpected or duplicated OS fingerprint match entries in dmesg or kernel logs when NF_OSF_LOGLEVEL_ALL is set
  • Inconsistent fingerprint logging where a single connection produces conflicting OS identifications
  • KASAN (Kernel Address Sanitizer) reports referencing nf_osf_match_one or nfnetlink_osf

Detection Strategies

  • Inventory hosts running affected kernel versions and confirm whether the nfnetlink_osf module is loaded with lsmod | grep nfnetlink_osf.
  • Audit netfilter rule sets for xt_osf usage and check whether the NF_OSF_LOGLEVEL_ALL option is enabled.
  • Enable KASAN in test environments to surface out-of-bounds reads during TCP option parsing.

Monitoring Recommendations

  • Monitor kernel log volume and content for anomalous nf_osf match entries.
  • Track running kernel versions against the patched commits listed on git.kernel.org/stable.
  • Alert on loading of the nfnetlink_osf module on systems where OS fingerprinting is not required.

How to Mitigate CVE-2026-52999

Immediate Actions Required

  • Apply the patched Linux kernel from your distribution as soon as updates are available for your stable branch.
  • If patching is not immediately possible, avoid configuring NF_OSF_LOGLEVEL_ALL, which is the trigger condition for the bug.
  • Unload the nfnetlink_osf module on systems that do not require OS fingerprint matching.

Patch Information

The fix replaces the shared ctx->optp pointer with a local pointer scoped to each nf_osf_match_one() invocation. The corrected code paths are committed in the upstream stable tree. See the primary kernel commit and the related backports including commit 0145548346c4, commit 1e19a07291bb, and commit f5ca450087c3 for backport coverage across stable branches.

Workarounds

  • Disable the nfnetlink_osf module via modprobe -r nfnetlink_osf if OS fingerprinting is not in use.
  • Remove any xt_osf match rules from netfilter configurations until the kernel is updated.
  • Reconfigure logging to avoid NF_OSF_LOGLEVEL_ALL, which forces the vulnerable iteration path.
bash
# Verify whether the affected module is loaded
lsmod | grep nfnetlink_osf

# Unload the module if OS fingerprint matching is not required
sudo modprobe -r nfnetlink_osf

# Prevent the module from loading on boot
echo "blacklist nfnetlink_osf" | sudo tee /etc/modprobe.d/blacklist-nfnetlink_osf.conf

# Inspect current netfilter rules for xt_osf usage
sudo iptables-save | grep -i osf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.