CVE-2026-46244 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux	Linux Kernel

References

Link	Providers
https://git.kernel.org/stable/c/689bbf48c1f45130086ae1c46ab83ea4c753c601
https://git.kernel.org/stable/c/870d59e2cf218e7418491e26bad768cb16654582
https://git.kernel.org/stable/c/b6a91f68ebfed9c38e0e9150f58a9b85da07181c
https://git.kernel.org/stable/c/c161ad9157f5a0429b5ff94d9770faf3bf48d273
https://git.kernel.org/stable/c/d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce

History

Wed, 03 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-665

Wed, 03 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.
Title		netfilter: nft_inner: Fix IPv6 inner_thoff desync
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/689bbf48c1f45130086ae1c46ab83ea4c753c601 https://git.kernel.org/stable/c/870d59e2cf218e7418491e26bad768cb16654582 https://git.kernel.org/stable/c/b6a91f68ebfed9c38e0e9150f58a9b85da07181c https://git.kernel.org/stable/c/c161ad9157f5a0429b5ff94d9770faf3bf48d273 https://git.kernel.org/stable/c/d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-03T15:48:59.049Z

Updated: 2026-06-03T15:48:59.049Z

Reserved: 2026-05-13T15:03:33.107Z

Link: CVE-2026-46244

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-03T18:16:24.430

Modified: 2026-06-03T18:16:24.430

Link: CVE-2026-46244

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-03T20:15:26Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object