Linux Kernel Netfilter nfnetlink_osf Out-of-Bounds Read Vulnerability (CVE-2026-52999) – Critical -DC-Jul2026-1004

Listen to this Post

The Linux kernel’s netfilter subsystem provides the `nfnetlink_osf` module for passive OS fingerprinting of TCP traffic. This module compares TCP packet headers against a set of user‑defined fingerprint rules to identify the originating operating system. The core matching logic resides in nf_osf_match(), which iterates over each configured fingerprint and calls `nf_osf_match_one()` to perform the actual comparison.
During a fingerprint check, `nf_osf_match_one()` parses the TCP options present in the packet. It uses a shared context structure (nf_osf_hdr_ctx) that contains a pointer `optp` pointing to the current position within the TCP options buffer. As the function walks through the options, it advances `ctx->optp` to track the parsing progress. This context is allocated once in the caller (nf_osf_match()) and passed by reference to every invocation of nf_osf_match_one().
The vulnerability arises when a fingerprint matches perfectly. In that case, `nf_osf_match_one()` returns early without restoring `ctx->optp` to its original value. Under normal operation, if logging is disabled, the loop stops after the first match and the stale pointer causes no further harm. However, if the administrator has enabled `NF_OSF_LOGLEVEL_ALL` (which instructs the kernel to log all matching fingerprints for forensic or debugging purposes), the loop continues to test subsequent fingerprints.
Because `ctx->optp` was never reset, the next call to `nf_osf_match_one()` begins parsing TCP options from the position where the previous match ended – which is at the end of the options buffer (or beyond). Consequently, the function reads out‑of‑bounds memory, interpreting garbage data as TCP options. This causes all subsequent fingerprint checks to fail immediately, and any logged information becomes incorrect or misleading.
The root cause is a shared mutable state that is not reinitialised between iterations. The fix modifies `nf_osf_match_one()` to accept the context as a constant pointer and uses a local copy of the `optp` pointer for traversal. This makes the function stateless from the caller’s perspective, ensuring that every fingerprint evaluation starts at the correct offset.
This flaw was introduced in kernel version 5.0 (commit 1a6a0951fc00) and affects all stable series up to the fixed releases. The CVE has been assigned a CVSS 3.1 base score of 9.1 (Critical) by kernel.org, with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H` – indicating that an unauthenticated remote attacker can trigger the out‑of‑bounds read without any privileges, leading to high confidentiality impact (information leak) and high availability impact (denial of service through corrupted logging or potential kernel panic).

DailyCVE Form:

Platform: …… Linux Kernel
Version: …….. 5.0 – 6.18.32
Vulnerability :.. Out‑of‑bounds Read
Severity: ……. Critical (9.1)
date: ………. 24 June 2026

Prediction: ….. Patch within days

What Undercode Say:

Analytics – Static Code Analysis & Runtime Behaviour

The bug is a classic case of mutable shared state across loop iterations. Static analysis tools that track pointer provenance would flag the use of `ctx->optp` as a non‑const parameter that is modified inside a function called in a loop. The following simplified call graph illustrates the flaw:

nf_osf_match()
ctx.optp = options_buffer
for each fingerprint:
nf_osf_match_one(&ctx) // modifies ctx->optp
if (match && !log_all) break

After a perfect match, `ctx->optp` points to options_buffer + len, so the next iteration reads out‑of‑bounds.
To verify the issue on a running system, one can inspect the `nf_osf` log level and test with crafted packets:

Check current log level (0 = off, 1 = only matches, 2 = all)
cat /proc/sys/net/netfilter/nf_osf_log_level
Enable logging of all fingerprints (triggers the bug)
echo 2 > /proc/sys/net/netfilter/nf_osf_log_level
Send a TCP packet with crafted options (using hping3)
hping3 -S -p 80 --tcp-timestamp -c 1 <target_ip>
Monitor kernel logs for out‑of‑bounds reads
dmesg | tail -20

The kernel will show corrupted option dumps or fail to log subsequent matches after the first successful fingerprint.

Exploit:

While no public exploit is available as of this writing, a remote attacker can reliably trigger the out‑of‑bounds read by sending a single TCP packet that matches at least one fingerprint rule on a system where `NF_OSF_LOGLEVEL_ALL` is enabled. Because the read occurs from a pointer that has been advanced to the end of the options buffer, the attacker can influence the offset and content of the garbage data read – potentially leaking sensitive kernel memory (e.g., pointers, stack data) or causing a kernel panic if the read crosses a page boundary.

A minimal proof‑of‑concept in Python using `scapy`:

from scapy.all import
Craft a TCP SYN packet with options that match a known fingerprint
ip = IP(dst="192.168.1.100")
tcp = TCP(sport=12345, dport=80, flags="S", options=[('Timestamp', (0, 0))])
pkt = ip/tcp
Send repeatedly to force multiple fingerprint checks
send(pkt, loop=1, count=100, inter=0.1)

If the target runs a vulnerable kernel with nf_osf_log_level=2, each packet will trigger the out‑of‑bounds read after the first match, corrupting the logging state and potentially crashing the system.

Protection:

  • Immediate Mitigation: Disable `NF_OSF_LOGLEVEL_ALL` by setting the log level to `0` or 1:
    echo 0 > /proc/sys/net/netfilter/nf_osf_log_level
    

    This prevents the loop from continuing after a match, avoiding the out‑of‑bounds read.

  • Permanent Fix: Apply the official kernel patch that makes `nf_osf_match_one()` stateless. The fix has been backported to all stable branches:
  • 5.10.258 (commit 0145548346c4)
  • 5.15.209 (commit 1c136f2c44a5)
  • 6.1.175 (commit 1e19a07291bb)
  • 6.6.141 (commit 32e50f92c7cf)
  • 6.12.91 (commit 70a3f31d25cf)
  • 6.18.33 (commit 21883587593d)
    Upgrade to any of these or later releases. On Debian/Ubuntu, use:

    sudo apt update && sudo apt upgrade linux-image-$(uname -r)
    
  • Workaround (if patching is not possible): Block `nfnetlink_osf` module entirely:
    sudo modprobe -r nfnetlink_osf
    echo "blacklist nfnetlink_osf" >> /etc/modprobe.d/blacklist.conf
    

This disables OS fingerprinting but eliminates the vulnerability.

Impact:

  • Confidentiality (High): An unauthenticated remote attacker can read out‑of‑bounds kernel memory, potentially leaking sensitive information such as cryptographic keys, process credentials, or kernel pointers that aid in further exploitation.
  • Availability (High): The out‑of‑bounds read can cause a kernel oops or panic if the read touches an unmapped memory region, leading to a system crash (DoS). Even without a crash, logging becomes unreliable, hindering forensic analysis and intrusion detection.
  • Integrity (None): The vulnerability does not allow direct modification of kernel data; however, information leaks can be chained with other bugs to achieve privilege escalation.
  • Attack Complexity (Low): The attack requires only the ability to send TCP packets to the target and knowledge that `NF_OSF_LOGLEVEL_ALL` is enabled (which is not the default). No user interaction or local access is needed.
  • Privileges Required (None): The flaw is triggerable from the network stack before any authentication, making it remotely exploitable without any credentials.
    Given the CVSS score of 9.1 and the wide range of affected kernels (from 5.0 to 6.18.32), this vulnerability poses a significant risk to production systems that rely on netfilter OS fingerprinting with extended logging. Administrators are urged to apply the patch or apply the workarounds immediately.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top