CVE-2026-43190

high

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).

References

https://git.kernel.org/stable/c/f895191dc32c53eaf443b6443fe40945b2f92287

https://git.kernel.org/stable/c/f6c412dcfd76b0516d51aa847d8f4c7b70381b09

https://git.kernel.org/stable/c/eaedc0bc18be46fe7f58170e967959a932c4f824

https://git.kernel.org/stable/c/cd5beda7e0e32865e214f28034bb92c1cecff885

https://git.kernel.org/stable/c/8b300f726640c48c3edfe9c453334dd801f4b74e

https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3

https://git.kernel.org/stable/c/5e13d0a37666955b6cfddc0f73cb40ed645b8a05

https://git.kernel.org/stable/c/07a9b32eaae792ff7d0fcac14d8920c937c0a9c3

Details

Source: Mitre, NVD

Published: 2026-05-06

Updated: 2026-05-06

Risk Information

CVSS v2

Base Score: 6.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 7.1

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Severity: High

EPSS

EPSS: 0.00024