{ "threat_severity" : "Moderate", "public_date" : "2026-05-06T00:00:00Z", "bugzilla" : { "description" : "kernel: netfilter: xt_tcpmss: check remaining length before reading optlen", "id" : "2467064", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467064" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "draft" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: xt_tcpmss: check remaining length before reading optlen\nQuoting reporter:\nIn net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads\nop[i+1] directly without validating the remaining option length.\nIf the last byte of the option field is not EOL/NOP (0/1), the code attempts\nto index op[i+1]. In the case where i + 1 == optlen, this causes an\nout-of-bounds read, accessing memory past the optlen boundary\n(either reading beyond the stack buffer _opt or the\nfollowing payload).", "A flaw was found in the Linux kernel, specifically within the netfilter: xt_tcpmss module. A remote attacker could exploit this vulnerability by sending a specially crafted TCP packet. The TCP option parser does not properly validate the remaining option length, which results in an out-of-bounds read. This allows an attacker to access memory beyond the intended buffer, potentially leading to information disclosure." ], "statement" : "xt_tcpmss can read one byte past the TCP option boundary when the last option byte is not EOL or NOP. The parser may evaluate op i plus 1 while i is already the final byte of the option area, so a crafted TCP packet can trigger an out of bounds read in the netfilter match path. If the attacker can send packets through a ruleset that uses the tcpmss match, then it can trigger this bug. The issue is network reachable only on systems with an applicable xt_tcpmss or iptables rule, and it is not a generic TCP stack exposure. Impact is primarily limited confidentiality risk from a one byte out of bounds read and possible low availability impact.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Under investigation", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43190\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43190\nhttps://lore.kernel.org/linux-cve-announce/2026050642-CVE-2026-43190-f1c9@gregkh/T" ], "name" : "CVE-2026-43190", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }