External risk intelligence

Linux Kernel Netfilter Transport Header Desync Advisory

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-46244

A vulnerability in the Linux kernel's netfilter component could allow attackers to forge transport headers and bypass firewalls. This occurs due to an incorrect calculation of the transport header offset when processing inner IPv6 packets with extension headers. The issue affects specific Linux kernel versions and coul

3Halo Surface Signal

Linux Kernel

6.2 to before 6.6.1426.7 to before 6.12.926.13 to before 6.18.346.19 to before 7.0.117.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-46244

The vulnerability resides in the Linux kernel netfilter component, which parses incoming network traffic. While it requires specific nftables configurations to be reachable, it processes arbitrary packets. Because it handles network traffic in environments utilizing these filtering features, the vulnerability is plausibly reachable in deployments that inspect encapsulated IPv6 traffic.

PCI scan relevance

PCI Relevance for CVE-2026-46244

Yes

CVE-2026-46244 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Linux kernel vulnerability could allow for firewall bypass due to incorrect handling of IPv6 transport headers, potentially impacting network security controls relevant to PCI.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Linux kernel's netfilter component, which handles network traffic filtering. This issue could potentially allow for the forgery of transport headers, leading to firewall bypass. The main concern is confirming if our specific configurations are exposed.

  • Network traffic filtering in Linux kernel affected.
  • Potential for firewall bypass through packet manipulation.
  • Confirm relevance and exposure in our environment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted IPv6 packets to a system running a vulnerable Linux kernel. The netfilter component, which handles network packet filtering, incorrectly processes the transport header offset for encapsulated IPv6 packets with extension headers. This miscalculation allows an attacker to forge transport headers, potentially bypassing firewalls and enabling further malicious activity.

  • Network access and specific nftables configuration required.
  • Mismatched transport header offset triggers the vulnerability.
  • Leads to transport header forgery and firewall bypass.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could affect system data and service behavior when the Linux kernel's netfilter component is processing specific inner IPv6 packets. The issue arises from an incorrect calculation of the transport header offset, which could allow an attacker to bypass firewall rules.

  • Network traffic inspection could be impacted.
  • Transport header forgery may occur.
  • Firewall bypass is a potential consequence.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world responsibility for this vulnerability likely falls to infrastructure and platform teams managing Linux systems, as it impacts the kernel's netfilter component. The initial critical step is to identify all Linux systems running affected kernel versions, determine their exposure to network traffic, and ascertain their business criticality. This will inform prioritization and the coordination of remediation efforts, potentially involving vendor support if commercial Linux distributions are in use.

  • Infrastructure and platform teams own remediation.
  • Verify affected systems and network exposure.
  • Plan updates during maintenance windows.

Frequently asked questions

What is the Linux kernel in the context of this advisory?

The Linux kernel is the fundamental core of the operating system that manages hardware resources and network traffic. This advisory specifically concerns the netfilter component, a subsystem within the kernel used to implement firewalls, packet filtering, and network address translation. It acts as the gatekeeper for incoming data, making it essential for system security.

What does this vulnerability mean for network security?

This vulnerability is an Improper Input Validation issue where the kernel miscalculates the location of transport headers within encapsulated IPv6 packets. Because the software fails to correctly identify where the header begins, it creates a desynchronization that can be manipulated. This weakness allows an attacker to forge headers, effectively tricking the firewall into misinterpreting the traffic and potentially allowing unauthorized access.

How is this CVE-2026-46244 vulnerability triggered?

The vulnerability is triggered when the kernel's netfilter component processes specific IPv6 packets containing extension headers. If the packet is encapsulated in a way that triggers the faulty offset calculation, the system becomes susceptible. Importantly, standard IPv6 traffic that does not rely on this specific inner packet parsing logic does not trigger the desync, meaning the flaw is constrained to specific, complex packet structures.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal indicates this is a possible concern if your environment uses nftables to inspect encapsulated IPv6 traffic. Because the vulnerable component handles arbitrary packets from the network, systems that are internet-facing or positioned to process untrusted traffic are more relevant. The risk is specifically tied to whether your active network filtering configurations exercise the flawed packet parsing logic.

What is the first step for responding to this advisory?

The immediate priority is to audit your infrastructure to identify all systems running affected kernel versions from 6.2 through the latest releases mentioned in the catalog. Once identified, evaluate whether those systems are configured to perform network traffic filtering on encapsulated IPv6 packets. Prioritize patching these critical assets through your standard maintenance processes or by coordinating with your Linux distribution vendor for updated kernels.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified