CVE-2026-46101 Linux CVE debrief

Who should care

Linux system administrators using nftables for packet filtering; security teams monitoring kernel netfilter attack surface; organizations with custom nftables rule generation pipelines

Technical summary

The nft_bitwise expression in Linux netfilter performs left and right shift operations on packet data. The carry propagation implementation uses `BITS_PER_TYPE(u32) - shift` to calculate adjacent word carry bits. A zero shift operand causes this expression to evaluate to 32, which is undefined behavior for 32-bit shift operations in C. The vulnerability exists because initialization code only validated shifts >= 32, not zero. The fix adds explicit zero shift rejection in the control plane during rule validation, preventing malformed rules from being installed. This is a proactive hardening measure with no demonstrated exploitability beyond undefined behavior invocation.

Defensive priority

medium

Recommended defensive actions

• Review nftables rulesets for any bitwise shift operations with zero shift values
• Apply kernel updates containing the referenced stable commits when available from distribution vendors
• Monitor kernel logs for rejected rule installation attempts that may indicate probing activity
• Validate nftables rule deployment pipelines to prevent zero shift values in generated rules

Evidence notes

The vulnerability description indicates this was resolved in the Linux kernel netfilter subsystem. The fix validates shift operands in nft_bitwise expressions during rule initialization. Multiple stable kernel commits are referenced, indicating backports to maintained kernel branches. The issue is classified as undefined behavior rather than a concrete memory safety vulnerability, with the fix preventing malformed rules from reaching runtime packet processing.

Official resources