HOMEVULNERABILITIESCVE-2026-45844
NONE

CVE-2026-45844

Published: May 27, 2026· Updated: Jun 1, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: arp_tables: fix IEEE1394 ARP payload parsing

Weiming Shi says:

"arp_packet_match() unconditionally parses the ARP payload assuming two

hardware addresses are present (source and target). However,

IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address

field, and arp_hdr_len() already accounts for this by returning a

shorter length for ARPHRD_IEEE1394 devices.

As a result, on IEEE1394 interfaces arp_packet_match() advances past a

nonexistent target hardware address and reads the wrong bytes for both

the target device address comparison and the target IP address. This

causes arptables rules to match against garbage data, leading to

incorrect filtering decisions: packets that should be accepted may be

dropped and vice versa.

The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already

handles this correctly by skipping the target hardware address for

ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()."

Mangle the original patch to always return 0 (no match) in case user

matches on the target hardware address which is never present in

IEEE1394.

Note that this returns 0 (no match) for either normal and inverse match

because matching in the target hardware address in ARPHRD_IEEE1394 has

never been supported by arptables. This is intentional, matching on the

target hardware address should never evaluate true for ARPHRD_IEEE1394.

Moreover, adjust arpt_mangle to drop the packet too as AI suggests:

In arpt_mangle, the logic assumes a standard ARP layout. Because

IEEE1394 (FireWire) omits the target hardware address, the linear

pointer arithmetic miscalculates the offset for the target IP address.

This causes mangling operations to write to the wrong location, leading

to packet corruption. To ensure safety, this patch drops packets

(NF_DROP) when mangling is requested for these fields on IEEE1394

devices, as the current implementation cannot correctly map the FireWire

ARP payload.

This omits both mangling target hardware and IP address. Even if IP

address mangling should be possible in IEEE1394, this would require

to adjust arpt_mangle offset calculation, which has never been

supported.

Based on patch from Weiming Shi <[email protected]>.

NVD Source

Technical Analysis

CVE-2026-45844 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-45844
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45844 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.