{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46244","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.107Z","datePublished":"2026-06-03T15:48:59.049Z","dateUpdated":"2026-06-14T18:05:25.011Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T18:05:25.011Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: Fix IPv6 inner_thoff desync\n\nIn nft_inner_parse_l2l3(), when processing inner IPv6 packets,\nipv6_find_hdr() correctly computes the transport header offset\ntraversing all extension headers, but the result is immediately\noverwritten with nhoff + sizeof(_ip6h) (40 bytes), which only\naccounts for the IPv6 base header. This creates a desync between\ninner_thoff (wrong — points to extension header start) and l4proto\n(correct — e.g., IPPROTO_TCP), enabling transport header forgery\nand potential firewall bypass. This issue affects stable versions\nfrom Linux 6.2.\n\nFor comparison, the normal (non-inner) IPv6 path correctly\npreserves ipv6_find_hdr()'s result. Removing the incorrect overwrite\nensures that ipv6_find_hdr()'s calculated transport header offset is\npreserved, thereby fixing the desynchronization."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nft_inner.c"],"versions":[{"version":"3a07327d10a09379315c844c63f27941f5081e0a","lessThan":"c161ad9157f5a0429b5ff94d9770faf3bf48d273","status":"affected","versionType":"git"},{"version":"3a07327d10a09379315c844c63f27941f5081e0a","lessThan":"870d59e2cf218e7418491e26bad768cb16654582","status":"affected","versionType":"git"},{"version":"3a07327d10a09379315c844c63f27941f5081e0a","lessThan":"689bbf48c1f45130086ae1c46ab83ea4c753c601","status":"affected","versionType":"git"},{"version":"3a07327d10a09379315c844c63f27941f5081e0a","lessThan":"d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce","status":"affected","versionType":"git"},{"version":"3a07327d10a09379315c844c63f27941f5081e0a","lessThan":"b6a91f68ebfed9c38e0e9150f58a9b85da07181c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nft_inner.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"6.6.142","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.92","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.34","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.11","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12.92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.18.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"7.0.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c161ad9157f5a0429b5ff94d9770faf3bf48d273"},{"url":"https://git.kernel.org/stable/c/870d59e2cf218e7418491e26bad768cb16654582"},{"url":"https://git.kernel.org/stable/c/689bbf48c1f45130086ae1c46ab83ea4c753c601"},{"url":"https://git.kernel.org/stable/c/d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce"},{"url":"https://git.kernel.org/stable/c/b6a91f68ebfed9c38e0e9150f58a9b85da07181c"}],"title":"netfilter: nft_inner: Fix IPv6 inner_thoff desync","x_generator":{"engine":"bippy-1.2.0"}}}}