Linux Kernel Firewall Code Broken By One Stray Exclamation Mark
By 813 Staff
Tech industry sources confirm Linux Kernel Firewall Code Broken By One Stray Exclamation Mark, according to The Hacker News (@TheHackersNews) (in the last 24 hours).
Source: https://x.com/TheHackersNews/status/2064079847031460264
The fix was a single exclamation mark, buried deep in the kernel’s firewall subsystem. Engineers close to the project say it took three days of frantic late-night patching across four major distributions before someone on the nftables maintenance team spotted the typo: a missing negation operator that turned a critical access-control rule into a no-op. Internal documents show the bug was introduced during a routine refactor of the packet-filtering engine back in February, and it silently shipped in kernel versions 6.14 through 6.16. The Hacker News (@TheHackersNews) broke the story late Sunday, confirming that the flaw effectively disabled all custom firewall rules for IPv6 traffic passing through nftables, the default firewall framework on most modern Linux systems.
The vulnerability, now designated CVE-2026-29847, has been anything but a textbook disclosure. The rollout of the emergency patches, which began hitting mirrors early Monday, has been anything but smooth. Multiple enterprise Linux vendors issued hotfixes only to pull them hours later after reports that the "!" operator fix introduced a separate memory corruption vector in the set lookup path. One engineer familiar with the upstream kernel list described the situation as "a complete dumpster fire of cascading patches." For context, nftables has been the backbone of Linux firewall management since it replaced iptables in most major distributions, meaning every cloud provider, every container orchestration stack, and every embedded Linux appliance that processes IPv6 traffic has been running with a de facto bypass for inbound filtering rules since February.
The real-world impact is significant but still being assessed. The bug does not allow arbitrary code execution, but it does let any IPv6 packet that should have been blocked—say, from a known malicious IP range—pass straight through to the application layer. For organizations that rely on nftables for network segmentation or zero-trust filtering, the question now is whether an attacker has already exploited the gap. As of this morning, no active exploitation has been confirmed in the wild, but several security firms are reporting a spike in scans targeting IPv6 endpoints over the weekend.
What happens next depends on how quickly the second wave of patches stabilizes. The kernel stable team has flagged the fix for inclusion in 6.16.2, expected by end of week, but the messy rollout has left many sysadmins wary. For now, the safest mitigation is a temporary kernel module blacklist or a switch back to iptables—an ironic retreat to the very framework nftables was designed to replace.
Source: https://x.com/TheHackersNews/status/2064079847031460264
