CVE-2026-43190
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Linux kernel Affected 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 2.6.12 | Affected | โ |
| โ | Affected | 5.10.252 |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | kernel-doc-4.18.0-553.126.1.el8_10.noarch.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.85-1 |
| sid | Fixed | 6.19.6-1 |
| forky | Fixed | 6.19.6-1 |
| bullseye | Fixed | 5.10.257-1 |
| bookworm | Fixed | 6.1.170-1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
References
- https://git.kernel.org/stable/c/07a9b32eaae792ff7d0fcac14d8920c937c0a9c3
- https://git.kernel.org/stable/c/5e13d0a37666955b6cfddc0f73cb40ed645b8a05
- https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3
- https://git.kernel.org/stable/c/8b300f726640c48c3edfe9c453334dd801f4b74e
- https://git.kernel.org/stable/c/cd5beda7e0e32865e214f28034bb92c1cecff885
- https://git.kernel.org/stable/c/eaedc0bc18be46fe7f58170e967959a932c4f824
- https://git.kernel.org/stable/c/f6c412dcfd76b0516d51aa847d8f4c7b70381b09
- https://git.kernel.org/stable/c/f895191dc32c53eaf443b6443fe40945b2f92287
- https://www.suse.com/security/cve/CVE-2026-43190.html
- https://security-tracker.debian.org/tracker/CVE-2026-43190
- https://access.redhat.com/errata/RHSA-2026:21556
- https://access.redhat.com/errata/RHSA-2026:21706
- https://bugzilla.redhat.com/2404105
- https://bugzilla.redhat.com/2422699
- https://bugzilla.redhat.com/2424879
- https://bugzilla.redhat.com/2429602
- https://bugzilla.redhat.com/2448594
- https://bugzilla.redhat.com/2448745
- https://bugzilla.redhat.com/2454810
- https://bugzilla.redhat.com/2455334
- https://bugzilla.redhat.com/2461107
- https://bugzilla.redhat.com/2461757
- https://bugzilla.redhat.com/2461759
- https://bugzilla.redhat.com/2464369
- https://bugzilla.redhat.com/2464455
CWEs
CWE-125
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.