CVE-2026-46244
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk23th percentile — higher than 23% of all known CVEs
Summary
In the Linux kernel versions from 6.2, a vulnerability was found in the netfilter nft_inner module. When processing inner IPv6 packets, the correctly computed transport header offset is overwritten with a constant value of 40 bytes, causing a desync between the offset and the transport layer protocol. This enables transport header forgery and potential firewall bypass.
Risk Assessment
An attacker can exploit this vulnerability to send crafted IPv6 packets that bypass firewall rules based on the nft_inner module, potentially leading to unauthorized access to protected resources.
Recommendation
Immediately update the Linux kernel to a version containing the fix that removes the incorrect overwrite of the transport header offset in nft_inner_parse_l2l3().
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.

