CVE-2026-23397

Summary

A medium-severity out-of-bounds read vulnerability (CVE-2026-23397) has been identified in the Linux kernel's nfnetlink_osf module. The nfnl_osf_add_callback() function fails to validate individual option length fields within OS fingerprint structures (CWE-125).

Technical Details

The issue is classified under CWE-125 (Out-of-bounds Read). The nfnetlink_osf module implements passive OS fingerprinting for Netfilter. When adding new fingerprint entries via netlink, the nfnl_osf_add_callback() function validates the overall opt_num bounds and ensures string NUL-termination, but does not validate the length field of each individual option within the fingerprint structure.

A malicious option entry with an oversized length field causes the kernel to read memory beyond the allocated buffer when processing the fingerprint, potentially exposing sensitive kernel data.

Exploitation Context

• Vector: Local
• Authentication: Required (CAP_NET_ADMIN capability)
• Complexity: Low
• Impact: Medium (Confidentiality — kernel memory disclosure)

While exploitation requires local access with network administration capabilities, in containerized environments, CAP_NET_ADMIN is sometimes granted to containers, expanding the attack surface.

Remediation

Linux administrators should immediately:

1. Apply the latest kernel patch that adds per-option length validation in nfnl_osf_add_callback() before processing fingerprint entries.
2. Review container security policies to ensure CAP_NET_ADMIN is not unnecessarily granted to containerized workloads.
3. Consider disabling the nfnetlink_osf module (modprobe -r nf_osf) if passive OS fingerprinting is not required in your environment.

Precogs AI Integration

The Precogs AI Binary Security Platform detects out-of-bounds read conditions by tracing array index and length field usage in kernel netlink message parsers, verifying that all user-supplied size fields are validated against buffer boundaries before being used in memory access operations.