CVE-2026-45873
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the netfilter packet filtering mechanism, specifically in red-black tree based sets (nft_set_rbtree). The issue is the lack of checking for partially overlapping intervals in anonymous sets, which can lead to incorrect filtering rule behavior.
Risk Assessment
An attacker could exploit this flaw to introduce conflicting filtering rules, potentially bypassing network security measures or causing unexpected system behavior.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit in the netfilter repository) that restores the check for overlapping start elements in anonymous sets.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets Userspace provides an optimized representation in case intervals are adjacent, where the end element is omitted. The existing partial overlap detection logic skips anonymous set checks on start elements for this reason. However, it is possible to add intervals that overlap to this anonymous where two start elements with the same, eg. A-B, A-C where C < B. start end A B start end A C Restore the check on overlapping start elements to report an overlap.

