Vulnerability in the handling of IP fragments

TCP/IP stacks of Linux and Windows systems have a vulnerability in the handling of fragmented IP packets. An attacker may increase the effects of denial of service attacks by sending specially crafted IP fragments.

Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size. A stream of tiny fragments can exhaust the fragment queue, degrading the overall network performance of the system. This can result in a denial of service. According to Microsoft, the vulnerability also affects Windows systems.

Vulnerability coordination:

The vulnerability was found by Juha-Matti Tiili from Aalto University, Department of Communications and Networking / Nokia Bell Labs. It was discovered together with the TCP segmentation issues published earlier in August 2018. NCSC-FI would like to thank the finder, CERT/CC and vendors for participating in the coordination.

  • Servers and server applications
  • Workstations and end-user applications
  • Network devices
  • Mobile communications systems
  • Embedded systems
  • Others


  • Servers and server applications
  • Workstations and end-user applications
  • Network devices
  • Mobile communications systems
  • Embedded systems
  • Others
Further information +

Attack vector

  • No authentication required
  • Remote
  • No user interaction required
Further information on the access vector +


  • Denial-of-service attack
Further information on the impact +


  • Software update patch
  • Restriction of the problem
Further information on the remediation +

Vulnerable software:

  • The vulnerability was introduced in Linux kernel in the version 3.9 and fixed in versions 3.18.118, 4.4.146, 4.9.118, 4.14.61, and 4.17.13.
  • All supported Windows versions

Possible solutions and restrictive measures:

Update the affected software using the automatic updates of your OS provider.

The vulnerability can be mitigated by restricting access to the vulnerable system. A simple mitigation on Linux is to decrease the size of the IP fragment queues:

sysctl -w net.ipv4.ipfrag_low_thresh=196608
sysctl -w net.ipv4.ipfrag_high_thresh=262144

As a workaround, Microsoft published the following commands that disable packet reassembly.

Netsh int ipv4 set global reassemblylimit=0
Netsh int ipv6 set global reassemblylimit=0

Contact Information

NCSC-FI Vulnerability Coordination can be contacted as follows:


Please quote the advisory reference [FICORA #1052508] in the subject line.

+358 295 390 230
Monday - Friday 08:00 – 16:15 (EET: UTC+3)

Vulnerability Coordination
P.O. Box 313
FI-00561 Helsinki

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The PGP key as well as the vulnerability coordination principles of NCSC-FI are available at:

Further information:

Update history

Key words: Internet , Vulnerability coordination , Vulnerabilities

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313


Media contacts by telephone +358 295 390 248