CVE-2026-52998
CVE-2026-52998 is a high-severity vulnerability with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 1% (40th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38866
- Published:
- Last modified:
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check The nf_osf_ttl() function accessed skb->dev to perform a local interface address lookup without verifying that the device pointer was valid. Additionally, the implementation utilized an in_dev_for_each_ifa_rcu loop to match the packet source address against local interface addresses. It assumed that packets from the same subnet should not see a decrement on the initial TTL. A packet might appear it is from the same subnet but it actually isn't especially in modern environments with containers and virtual switching. Remove the device dereference and interface loop. Replace the logic with a switch statement that evaluates the TTL according to the ttl_check.
Frequently asked questions
- What is CVE-2026-52998?
- In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check The nf_osf_ttl() function accessed skb->dev to perform a local interface address lookup without verifying that the device pointer was valid. Additionally, the implementation utilized an in_dev_for_each_ifa_rcu loop to match the packet source address against local interface addresses. It assumed that packets from the same subnet should not see a decrement on the initial TTL. A packet might appear it is from the same subnet but it actually isn't especially in modern environments with containers and virtual switching. Remove the device dereference and interface loop. Replace the logic with a switch statement that evaluates the TTL according to the ttl_check.
- How severe is CVE-2026-52998?
- CVE-2026-52998 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-52998 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (40th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-52998?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-52998 have an EU (EUVD) identifier?
- Yes. CVE-2026-52998 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38866.
- When was CVE-2026-52998 published?
- CVE-2026-52998 was published on 2026-06-24 and last updated on 2026-06-28.
References
- https://git.kernel.org/stable/c/5d05de2f0928d81309a815ecc76d1a3ad72cbc16
- https://git.kernel.org/stable/c/711987ba281fd806322a7cd244e98e2a81903114
- https://git.kernel.org/stable/c/79b90a96688e521771fa6ed3dc7864b76b8df293
- https://git.kernel.org/stable/c/83fc5dd63455a779ea2dd0f7ffee3c920919d80b
- https://git.kernel.org/stable/c/95be653a76793856ff8b2d8bd82c2943c23f5ca8
- https://git.kernel.org/stable/c/c996a90f3071cf43683e5423da31aadbe002b8b4
- https://git.kernel.org/stable/c/edc806f9122961f0d3819f7c69c14cccde31f277
- https://git.kernel.org/stable/c/f4de0777e4554a7de19c920accde6319dd530782