CVE Catalog

CVE-2026-52920

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile - higher than 22% of all known CVEs

Summary

A vulnerability was found in the Linux kernel's netfilter xt_policy module, affecting strict mode inbound policy matching. The match_policy_in() function processes sec_path entries in reverse order, causing inconsistent matching of multi-element inbound rules.

Risk Assessment

The organization may experience inconsistent enforcement of IPsec security policies for inbound traffic, potentially leading to bypass or misapplication of filtering rules.

Recommendation

Immediately update the Linux kernel to a version containing the fix for CVE-2026-52920. Monitor official security advisories from your Linux distribution.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_policy: fix strict mode inbound policy matching match_policy_in() walks sec_path entries from the last transform to the first one, but strict policy matching needs to consume info->pol[] in the same forward order as the rule layout. Derive the strict-match policy position from the number of transforms already consumed so that multi-element inbound rules are matched consistently.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS