Skip to main content

Linux Kernel CVE-2026-52927

| EUVDEUVD-2026-38730 HIGH
Out-of-bounds Read (CWE-125)
2026-06-24 Linux GHSA-c6h6-mmcc-x4qj
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.1 HIGH

Local ebtables call needs CAP_NET_ADMIN so PR:L/AV:L; an OOB read discloses kernel memory (C:H) and can crash the host (A:H) but does not corrupt state, so I:N.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:26 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ebtables: fix OOB read in compat_mtw_from_user

Luxiao Xu says:

The function compat_mtw_from_user() converts ebtables extensions from 32-bit user structures to kernel native structures. However, it lacks proper validation of the user-supplied match_size/target_size.

When certain extensions are processed, the kernel-side translation logic may perform memory accesses based on the extension's expected size. If the user provides a size smaller than what the extension requires, it results in an out-of-bounds read as reported by KASAN.

This fix introduces a check to ensure match_size is at least as large as the extension's required compatsize. This covers matches, watchers, and targets, while maintaining compatibility with standard targets.

AFAIU this is relevant for matches that need to go though match->compat_from_user() call. Those that use plain memcpy with the user-provided size are ok because the caller checks that size vs the start of the next rule entry offset (which itself is checked vs. total size copied from userspace).

The ->compat_from_user() callbacks assume they can read compatsize bytes, so they need this extra check.

Based on an earlier patch from Luxiao Xu.

AnalysisAI

Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local execution in user/net namespace
Delivery
Acquire CAP_NET_ADMIN over netns
Exploit
Craft ebtables compat entry with undersized match_size
Execution
Submit via setsockopt to ebtables
Persist
Kernel ->compat_from_user reads past buffer
Impact
Leak kernel memory or crash host

Vulnerability AssessmentAI

Exploitation Exploitation requires local code execution plus the ability to invoke the ebtables setsockopt interface, which is gated by CAP_NET_ADMIN in the relevant network namespace - attainable by an otherwise-unprivileged user when unprivileged user namespaces are enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a moderate, locally-scoped issue rather than an urgent one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user - for example a process inside an unprivileged container that can create a user+network namespace and gain CAP_NET_ADMIN - issues an ebtables setsockopt compat request containing a match, watcher or target whose declared match_size/target_size is smaller than the extension's required compatsize. The kernel's ->compat_from_user() callback then reads past the supplied buffer, leaking adjacent kernel memory or crashing the system; no public proof-of-concept is identified at time of analysis.
Remediation Vendor-released patch: update to a fixed stable kernel for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.93, 6.18.35, 7.0.12, or 7.1 or later (commits at https://git.kernel.org/stable/c/d7a8fb6f10d55a1c37b0bf8c20cca24dffd76e00 and siblings) - and apply your distribution's corresponding kernel security update, then reboot. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Linux systems in your environment and determine current kernel versions by running 'uname -r' or querying your asset inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy