Skip to main content

Linux Kernel CVE-2026-53014

| EUVDEUVD-2026-38882 MEDIUM
2026-06-24 Linux GHSA-x2v8-3q4q-r8g6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.1 MEDIUM

Mixed-device TC block is non-default (AC:H); CAP_NET_ADMIN required for TC rule configuration (PR:H); no confidentiality or integrity impact confirmed.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 16:16 vuln.today
CVSS changed
Jul 15, 2026 - 14:07 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir

In tcf_blockcast_redir(), when iterating block ports to redirect packets to multiple devices, the mac_header_xmit flag is queried from the wrong device. The loop sends to dev_prev but queries dev_is_mac_header_xmit(dev) - which is the NEXT device in the iteration, not the one being sent to.

This causes tcf_mirred_to_dev() to make incorrect decisions about whether to push or pull the MAC header. When the block contains mixed device types (e.g., an ethernet veth and a tunnel device), intermediate devices get the wrong mac_header_xmit flag, leading to skb header corruption. In the worst case, skb_push_rcsum with an incorrect mac_len can exhaust headroom and panic.

The last device in the loop is handled correctly (line 365-366 uses dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste oversight for the intermediate devices.

Fix by using dev_prev instead of dev for the mac_header_xmit query, consistent with the device actually being sent to.

AnalysisAI

Kernel panic via skb headroom exhaustion in the Linux kernel's Traffic Control (TC) act_mirred subsystem affects systems using block-cast packet redirection across mixed device types. The root cause is a copy-paste error in tcf_blockcast_redir() where dev_is_mac_header_xmit() is queried against the next device in the iteration (dev) rather than the device currently being transmitted to (dev_prev), causing tcf_mirred_to_dev() to make wrong MAC header push/pull decisions for intermediate devices. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local access with CAP_NET_ADMIN
Delivery
Configure TC block mixing veth and tunnel device
Exploit
Send packets triggering block-cast redirection
Install
Wrong mac_header_xmit flag applied to intermediate device
C2
tcf_mirred_to_dev pushes MAC header incorrectly
Execute
skb_push_rcsum exhausts headroom
Impact
Kernel panic / host DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires local system access with the CAP_NET_ADMIN capability (or equivalent root privileges) to create and modify TC (Traffic Control) qdisc and filter rules - this capability is not granted to standard unprivileged users but is commonly delegated within containers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) is broadly directionally correct but likely understates the privilege requirement: configuring TC rules requires CAP_NET_ADMIN, which exceeds typical PR:L assumptions in general-purpose Linux environments, though it is routinely granted within containers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker or malicious process with CAP_NET_ADMIN on a Linux host - such as a privileged container workload in a multi-tenant Kubernetes cluster - configures a TC block containing both an Ethernet veth pair and a GRE tunnel device, then directs traffic through tcf_blockcast_redir. The incorrect mac_header_xmit evaluation for the veth device causes tcf_mirred_to_dev to push a MAC header onto an skb that has already had its headroom consumed, and the subsequent skb_push_rcsum call exhausts available headroom, triggering a BUG_ON or kernel panic that crashes the host node. …
Remediation Upgrade to a patched stable kernel release: 6.12.91, 6.18.33, 7.0.10, or 7.1, as confirmed by upstream stable commits at git.kernel.org (see affected_products for direct links). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy