netfilter: nft_inner: Fix IPv6 inner_thoff desync_CVE-2026-46244

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_inner: Fix IPv6 inner_thoff desync

In nft_inner_parse_l2l3(), when processing inner IPv6 packets,
ipv6_find_hdr() correctly computes the transport header offset
traversing all extension headers, but the result is immediately
overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only
accounts for the IPv6 base header. This creates a desync between
inner_thoff (wrong — points to extension header start) and l4proto
(correct — e.g., IPPROTO_TCP), enabling transport header forgery
and potential firewall bypass. This issue affects stable versions
from Linux 6.2.

For comparison, the normal (non-inner) IPv6 path correctly
preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite
ensures that ipv6_find_hdr()'s calculated transport header offset is
preserved, thereby fixing the desynchronization.

Basic Information

ID CVE-2026-46244

Source Linux

Published Jun 3, 2026 at 15:48

Modified Jun 5, 2026 at 06:06

Affected Product

Vendor Linux

Product Linux

Version 3a07327d10a09379315c844c63f27941f5081e0a

Affected Versions Linux Linux 3a07327d10a09379315c844c63f27941f5081e0a
Linux Linux 3a07327d10a09379315c844c63f27941f5081e0a
Linux Linux 3a07327d10a09379315c844c63f27941f5081e0a
Linux Linux 3a07327d10a09379315c844c63f27941f5081e0a
Linux Linux 3a07327d10a09379315c844c63f27941f5081e0a
Linux Linux 6.2

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: Fix IPv6 inner_thoff desync\n\nIn nft_inner_parse_l2l3(), when processing inner IPv6 packets,\nipv6_find_hdr() correctly computes the transport header offset\ntraversing all extension headers, but the result is immediately\noverwritten with nhoff + sizeof(_ip6h) (40 bytes), which only\naccounts for the IPv6 base header. This creates a desync between\ninner_thoff (wrong \u2014 points to extension header start) and l4proto\n(correct \u2014 e.g., IPPROTO_TCP), enabling transport header forgery\nand potential firewall bypass. This issue affects stable versions\nfrom Linux 6.2.\n\nFor comparison, the normal (non-inner) IPv6 path correctly\npreserves ipv6_find_hdr()'s result. Removing the incorrect overwrite\nensures that ipv6_find_hdr()'s calculated transport header offset is\npreserved, thereby fixing the desynchronization.",
    "published": "2026-06-03T15:48:59.049Z",
    "modified": "2026-06-05T06:06:19.081Z",
    "type": "cve",
    "title": "netfilter: nft_inner: Fix IPv6 inner_thoff desync",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/c161ad9157f5a0429b5ff94d9770faf3bf48d273\nhttps://git.kernel.org/stable/c/870d59e2cf218e7418491e26bad768cb16654582\nhttps://git.kernel.org/stable/c/689bbf48c1f45130086ae1c46ab83ea4c753c601\nhttps://git.kernel.org/stable/c/d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce\nhttps://git.kernel.org/stable/c/b6a91f68ebfed9c38e0e9150f58a9b85da07181c",
    "id": "CVE-2026-46244",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 3a07327d10a09379315c844c63f27941f5081e0a\nLinux Linux 3a07327d10a09379315c844c63f27941f5081e0a\nLinux Linux 3a07327d10a09379315c844c63f27941f5081e0a\nLinux Linux 3a07327d10a09379315c844c63f27941f5081e0a\nLinux Linux 3a07327d10a09379315c844c63f27941f5081e0a\nLinux Linux 6.2",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "3a07327d10a09379315c844c63f27941f5081e0a",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply