Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Mixed-device TC block is non-default (AC:H); CAP_NET_ADMIN required for TC rule configuration (PR:H); no confidentiality or integrity impact confirmed.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
In tcf_blockcast_redir(), when iterating block ports to redirect packets to multiple devices, the mac_header_xmit flag is queried from the wrong device. The loop sends to dev_prev but queries dev_is_mac_header_xmit(dev) - which is the NEXT device in the iteration, not the one being sent to.
This causes tcf_mirred_to_dev() to make incorrect decisions about whether to push or pull the MAC header. When the block contains mixed device types (e.g., an ethernet veth and a tunnel device), intermediate devices get the wrong mac_header_xmit flag, leading to skb header corruption. In the worst case, skb_push_rcsum with an incorrect mac_len can exhaust headroom and panic.
The last device in the loop is handled correctly (line 365-366 uses dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste oversight for the intermediate devices.
Fix by using dev_prev instead of dev for the mac_header_xmit query, consistent with the device actually being sent to.
AnalysisAI
Kernel panic via skb headroom exhaustion in the Linux kernel's Traffic Control (TC) act_mirred subsystem affects systems using block-cast packet redirection across mixed device types. The root cause is a copy-paste error in tcf_blockcast_redir() where dev_is_mac_header_xmit() is queried against the next device in the iteration (dev) rather than the device currently being transmitted to (dev_prev), causing tcf_mirred_to_dev() to make wrong MAC header push/pull decisions for intermediate devices. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local system access with the CAP_NET_ADMIN capability (or equivalent root privileges) to create and modify TC (Traffic Control) qdisc and filter rules - this capability is not granted to standard unprivileged users but is commonly delegated within containers. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) is broadly directionally correct but likely understates the privilege requirement: configuring TC rules requires CAP_NET_ADMIN, which exceeds typical PR:L assumptions in general-purpose Linux environments, though it is routinely granted within containers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker or malicious process with CAP_NET_ADMIN on a Linux host - such as a privileged container workload in a multi-tenant Kubernetes cluster - configures a TC block containing both an Ethernet veth pair and a GRE tunnel device, then directs traffic through tcf_blockcast_redir. The incorrect mac_header_xmit evaluation for the veth device causes tcf_mirred_to_dev to push a MAC header onto an skb that has already had its headroom consumed, and the subsequent skb_push_rcsum call exhausts available headroom, triggering a BUG_ON or kernel panic that crashes the host node. … |
| Remediation | Upgrade to a patched stable kernel release: 6.12.91, 6.18.33, 7.0.10, or 7.1, as confirmed by upstream stable commits at git.kernel.org (see affected_products for direct links). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38882
GHSA-x2v8-3q4q-r8g6