2467064 – (CVE-2026-43190) CVE-2026-43190 kernel: netfilter: xt_tcpmss: check remaining length before reading optlen

Bug 2467064 (CVE-2026-43190) - CVE-2026-43190 kernel: netfilter: xt_tcpmss: check remaining length before reading optlen

Summary: CVE-2026-43190 kernel: netfilter: xt_tcpmss: check remaining length before re...

Keywords:
Status:	NEW
Alias:	CVE-2026-43190
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-06 13:02 UTC by OSIDB Bzimport
Modified:	2026-06-22 04:26 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:21556	None	None	None	2026-05-28 01:24:09 UTC
Red Hat Product Errata	RHSA-2026:21557	None	None	None	2026-05-28 01:20:05 UTC
Red Hat Product Errata	RHSA-2026:21706	None	None	None	2026-05-28 08:26:08 UTC
Red Hat Product Errata	RHSA-2026:21745	None	None	None	2026-05-28 13:26:34 UTC
Red Hat Product Errata	RHSA-2026:25028	None	None	None	2026-06-10 09:49:32 UTC
Red Hat Product Errata	RHSA-2026:25218	None	None	None	2026-06-11 10:53:57 UTC
Red Hat Product Errata	RHSA-2026:25533	None	None	None	2026-06-12 19:51:49 UTC
Red Hat Product Errata	RHSA-2026:26462	None	None	None	2026-06-17 01:14:01 UTC
Red Hat Product Errata	RHSA-2026:26515	None	None	None	2026-06-17 06:33:38 UTC
Red Hat Product Errata	RHSA-2026:26535	None	None	None	2026-06-17 09:18:48 UTC
Red Hat Product Errata	RHSA-2026:26563	None	None	None	2026-06-17 11:58:36 UTC
Red Hat Product Errata	RHSA-2026:27729	None	None	None	2026-06-22 04:26:59 UTC

Description OSIDB Bzimport 2026-05-06 13:02:19 UTC

In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_tcpmss: check remaining length before reading optlen

Quoting reporter:
  In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
 op[i+1] directly without validating the remaining option length.

  If the last byte of the option field is not EOL/NOP (0/1), the code attempts
  to index op[i+1]. In the case where i + 1 == optlen, this causes an
  out-of-bounds read, accessing memory past the optlen boundary
  (either reading beyond the stack buffer _opt or the
  following payload).

Comment 1 Keith Grant 2026-05-06 20:41:36 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050642-CVE-2026-43190-f1c9@gregkh/T

Comment 3 errata-xmlrpc 2026-05-28 01:20:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:21557 https://access.redhat.com/errata/RHSA-2026:21557

Comment 4 errata-xmlrpc 2026-05-28 01:24:08 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:21556 https://access.redhat.com/errata/RHSA-2026:21556

Comment 5 errata-xmlrpc 2026-05-28 08:26:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:21706 https://access.redhat.com/errata/RHSA-2026:21706

Comment 6 errata-xmlrpc 2026-05-28 13:26:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:21745 https://access.redhat.com/errata/RHSA-2026:21745

Comment 7 errata-xmlrpc 2026-06-10 09:49:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:25028 https://access.redhat.com/errata/RHSA-2026:25028

Comment 8 errata-xmlrpc 2026-06-11 10:53:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:25218 https://access.redhat.com/errata/RHSA-2026:25218

Comment 9 errata-xmlrpc 2026-06-12 19:51:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On
  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support

Via RHSA-2026:25533 https://access.redhat.com/errata/RHSA-2026:25533

Comment 10 errata-xmlrpc 2026-06-17 01:14:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:26462 https://access.redhat.com/errata/RHSA-2026:26462

Comment 11 errata-xmlrpc 2026-06-17 06:33:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:26515 https://access.redhat.com/errata/RHSA-2026:26515

Comment 12 errata-xmlrpc 2026-06-17 09:18:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:26535 https://access.redhat.com/errata/RHSA-2026:26535

Comment 13 errata-xmlrpc 2026-06-17 11:58:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:26563 https://access.redhat.com/errata/RHSA-2026:26563

Comment 14 errata-xmlrpc 2026-06-22 04:26:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:27729 https://access.redhat.com/errata/RHSA-2026:27729

Note You need to log in before you can comment on or make changes to this bug.