CVE Catalog

CVE-2026-53131

CriticalCVSS 9.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found in the netfilter subsystem where functions like `ip6t_eui64`, `xt_mac`, ipset types (`bitmap:ip,mac`, `hash:ip,mac`, `hash:mac`), and `nf_log_syslog` accessed the Ethernet header (`eth_hdr(skb)`) without first verifying that the skb is associated with an Ethernet device, that the MAC header is set, and that it spans at least a full Ethernet header. Missing these checks could lead to errors or potential security issues.

Risk Assessment

The organization may face unpredictable system behavior, including potential crashes or vulnerabilities that could allow an attacker to manipulate network traffic if exploited in a production environment.

Recommendation

Immediately update the Linux kernel to a version containing the fix that adds the required checks before accessing the Ethernet header in the netfilter subsystem.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: require Ethernet MAC header before using eth_hdr() `ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and `hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)` after either assuming that the skb is associated with an Ethernet device or checking only that the `ETH_HLEN` bytes at `skb_mac_header(skb)` lie between `skb->head` and `skb->data`. Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing `eth_hdr(skb)`.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS