CVE-2026-52920
HighCVSS 8.3Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
A vulnerability was found in the Linux kernel's netfilter xt_policy module, affecting strict mode inbound policy matching. The match_policy_in() function processes sec_path entries in reverse order, causing inconsistent matching of multi-element inbound rules.
Risk Assessment
The organization may experience inconsistent enforcement of IPsec security policies for inbound traffic, potentially leading to bypass or misapplication of filtering rules.
Recommendation
Immediately update the Linux kernel to a version containing the fix for CVE-2026-52920. Monitor official security advisories from your Linux distribution.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_policy: fix strict mode inbound policy matching match_policy_in() walks sec_path entries from the last transform to the first one, but strict policy matching needs to consume info->pol[] in the same forward order as the rule layout. Derive the strict-match policy position from the number of transforms already consumed so that multi-element inbound rules are matched consistently.

