CVE Catalog

CVE-2026-53131

CriticalCVSS 9.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

35th percentile — higher than 35% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found in the netfilter subsystem where functions like `ip6t_eui64`, `xt_mac`, certain ipset types (`bitmap:ip,mac`, `hash:ip,mac`, `hash:mac`), and `nf_log_syslog` accessed the Ethernet header (`eth_hdr(skb)`) without first verifying that the skb is associated with an Ethernet device and that the MAC header is properly set and spans at least a full Ethernet header. This lack of validation could lead to incorrect data reads.

Risk Assessment

The risk involves potential reading of invalid data from kernel memory, which could lead to information disclosure or system instability. An attacker could craft a packet that bypasses checks and causes incorrect behavior of network filters.

Recommendation

It is recommended to immediately update the Linux kernel to a version containing the fix that adds the required checks before accessing the Ethernet header. Monitor official security advisories from your Linux distribution.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: require Ethernet MAC header before using eth_hdr() `ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and `hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)` after either assuming that the skb is associated with an Ethernet device or checking only that the `ETH_HLEN` bytes at `skb_mac_header(skb)` lie between `skb->head` and `skb->data`. Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing `eth_hdr(skb)`.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS