{ "threat_severity" : "Moderate", "public_date" : "2026-05-27T00:00:00Z", "bugzilla" : { "description" : "kernel: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO", "id" : "2481867", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2481867" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-369", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO\nnf_osf_match_one() computes ctx->window % f->wss.val in the\nOSF_WSS_MODULO branch with no guard for f->wss.val == 0. A\nCAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a\nsubsequent matching TCP SYN divides by zero and panics the kernel.\nReject the bogus fingerprint in nfnl_osf_add_callback() above the\nper-option for-loop. f->wss is per-fingerprint, not per-option, so\nthe check must run regardless of f->opt_num (including 0). Also\nreject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that\nas \"should not happen\".\nCrash:\nOops: divide error: 0000 [#1] SMP KASAN NOPTI\nRIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\nCall Trace:\n\nnf_osf_match (net/netfilter/nfnetlink_osf.c:220)\nxt_osf_match_packet (net/netfilter/xt_osf.c:32)\nipt_do_table (net/ipv4/netfilter/ip_tables.c:348)\nnf_hook_slow (net/netfilter/core.c:622)\nip_local_deliver (net/ipv4/ip_input.c:265)\nip_rcv (include/linux/skbuff.h:1162)\n__netif_receive_skb_one_core (net/core/dev.c:6181)\nprocess_backlog (net/core/dev.c:6642)\n__napi_poll (net/core/dev.c:7710)\nnet_rx_action (net/core/dev.c:7945)\nhandle_softirqs (kernel/softirq.c:622)", "A flaw was found in the Linux kernel's netfilter component. A local attacker with CAP_NET_ADMIN capabilities, which grants certain network administration privileges, could trigger a divide-by-zero error by adding a specially crafted fingerprint via nfnetlink. This vulnerability could lead to a kernel panic, effectively causing a Denial of Service (DoS) on the affected system." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-45841\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-45841\nhttps://lore.kernel.org/linux-cve-announce/2026052712-CVE-2026-45841-9575@gregkh/T" ], "name" : "CVE-2026-45841", "csaw" : false }