CVE-2026-45873 Linux CVE debrief

Who should care

Linux system administrators using nftables with interval-based sets; security teams monitoring kernel netfilter integrity; distribution maintainers packaging kernel updates

Technical summary

The nft_set_rbtree module in the Linux kernel's netfilter framework failed to detect partial overlaps when processing anonymous sets with interval representations. The vulnerability stemmed from an optimization that skipped overlap checks on start elements for adjacent intervals (where end elements are omitted). This allowed malformed interval configurations where two start elements share the same starting point but have different endpoints (e.g., A-B and A-C where C < B) to bypass detection. The fix restores proper validation of overlapping start elements.

Defensive priority

medium

Recommended defensive actions

• Review kernel version and confirm netfilter nftables is in use
• Apply kernel updates containing the referenced stable commits when available from distribution maintainers
• Monitor for nftables rule updates that may trigger the corrected overlap detection
• Validate nftables configuration for any rules relying on interval sets that may have been accepted due to the bypass

Evidence notes

The vulnerability description indicates this was resolved in the Linux kernel netfilter subsystem. Multiple stable kernel commits are referenced, suggesting backports to various kernel versions. The issue affects nft_set_rbtree's handling of anonymous sets with interval representations.

Official resources