Bug 2492739 (CVE-2026-53249)

Summary: CVE-2026-53249 kernel: ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's IPv4 networking component. This vulnerability allows an unprivileged application to set specific IP options, namely Loose Source and Record Route (LSRR) and Strict Source and Record Route (SSRR). By exploiting this, an attacker can force network packets to traverse through attacker-controlled nodes, leading to the leakage of sensitive information such as TCP Initial Sequence Numbers (ISN) and potentially other protocol details.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-25 10:03:12 UTC
In the Linux kernel, the following vulnerability has been resolved:

ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options

This patch restricts setting Loose Source and Record Route (LSRR)
and Strict Source and Record Route (SSRR) IP options to users
with CAP_NET_RAW capability.

This prevents unprivileged applications from forcing packets to route
through attacker-controlled nodes to leak TCP ISN and possibly other
protocol information.

While LSRR and SSRR are commonly filtered in many network environments,
they may still be supported and forwarded along some network paths.

RFC 7126 (Recommendations on Filtering of IPv4 Packets Containing
IPv4 Options) recommend to drop these options in 4.3 and 4.4.