Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local ebtables call needs CAP_NET_ADMIN so PR:L/AV:L; an OOB read discloses kernel memory (C:H) and can crash the host (A:H) but does not corrupt state, so I:N.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ebtables: fix OOB read in compat_mtw_from_user
Luxiao Xu says:
The function compat_mtw_from_user() converts ebtables extensions from 32-bit user structures to kernel native structures. However, it lacks proper validation of the user-supplied match_size/target_size.
When certain extensions are processed, the kernel-side translation logic may perform memory accesses based on the extension's expected size. If the user provides a size smaller than what the extension requires, it results in an out-of-bounds read as reported by KASAN.
This fix introduces a check to ensure match_size is at least as large as the extension's required compatsize. This covers matches, watchers, and targets, while maintaining compatibility with standard targets.
AFAIU this is relevant for matches that need to go though match->compat_from_user() call. Those that use plain memcpy with the user-provided size are ok because the caller checks that size vs the start of the next rule entry offset (which itself is checked vs. total size copied from userspace).
The ->compat_from_user() callbacks assume they can read compatsize bytes, so they need this extra check.
Based on an earlier patch from Luxiao Xu.
AnalysisAI
Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local code execution plus the ability to invoke the ebtables setsockopt interface, which is gated by CAP_NET_ADMIN in the relevant network namespace - attainable by an otherwise-unprivileged user when unprivileged user namespaces are enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a moderate, locally-scoped issue rather than an urgent one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user - for example a process inside an unprivileged container that can create a user+network namespace and gain CAP_NET_ADMIN - issues an ebtables setsockopt compat request containing a match, watcher or target whose declared match_size/target_size is smaller than the extension's required compatsize. The kernel's ->compat_from_user() callback then reads past the supplied buffer, leaking adjacent kernel memory or crashing the system; no public proof-of-concept is identified at time of analysis. |
| Remediation | Vendor-released patch: update to a fixed stable kernel for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.93, 6.18.35, 7.0.12, or 7.1 or later (commits at https://git.kernel.org/stable/c/d7a8fb6f10d55a1c37b0bf8c20cca24dffd76e00 and siblings) - and apply your distribution's corresponding kernel security update, then reboot. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Linux systems in your environment and determine current kernel versions by running 'uname -r' or querying your asset inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38730
GHSA-c6h6-mmcc-x4qj