Skip to main content

Linux Kernel CVE-2026-53131

| EUVDEUVD-2026-39336 CRITICAL
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8cg3-6h68-w2cj
9.4
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
vuln.today AI
6.5 MEDIUM

Reachable only with non-default MAC-based netfilter/ipset config and non-Ethernet-path packets (AC:H); bounded OOB read leaks limited memory (C:L) and can oops the kernel (A:H), no integrity impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:13 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.4 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.4
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: require Ethernet MAC header before using eth_hdr()

ip6t_eui64, xt_mac, the bitmap:ip,mac, hash:ip,mac, and hash:mac ipset types, and nf_log_syslog access eth_hdr(skb) after either assuming that the skb is associated with an Ethernet device or checking only that the ETH_HLEN bytes at skb_mac_header(skb) lie between skb->head and skb->data.

Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing eth_hdr(skb).

AnalysisAI

Out-of-bounds memory access in the Linux kernel's netfilter subsystem allows attackers to leak adjacent kernel memory or crash the host by sending packets that traverse MAC-based matching paths (xt_mac, ip6t_eui64, the bitmap:ip,mac/hash:ip,mac/hash:mac ipset types, and nf_log_syslog) which call eth_hdr(skb) without first confirming the skb carries a full Ethernet header. Affected kernels span the 5.15 through 7.1 stable trees prior to the fixed releases, and the impact is information disclosure and denial of service rather than code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify host using MAC-based netfilter/ipset rules
Delivery
Send packet via non-Ethernet path
Exploit
Reach eth_hdr() match without MAC header
Execution
Trigger out-of-bounds read
Impact
Leak adjacent kernel memory or oops kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target host has MAC-address-based netfilter processing enabled - specifically an `xt_mac` (`-m mac`) rule, an `ip6t_eui64` match, a `bitmap:ip,mac` / `hash:ip,mac` / `hash:mac` ipset in use, or MAC logging through `nf_log_syslog` - AND that a packet reaches that code on an skb not backed by a complete Ethernet MAC header (e.g., arriving via a non-Ethernet device such as a tunnel, PPP, or loopback, or before the MAC header is set). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals here conflict and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An administrator runs a firewall using `-m mac` matches or a `hash:mac` ipset, and the host receives traffic over a non-Ethernet interface such as a VPN tunnel, PPP link, or loopback. An attacker sends a crafted packet down that path so that when netfilter evaluates the MAC match it dereferences `eth_hdr(skb)` past the valid header, leaking adjacent kernel bytes into logs or oopsing the kernel. …
Remediation Vendor-released patch: update to Linux 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) matching your branch, then reboot or apply the corresponding livepatch; the fixes are the stable commits at git.kernel.org/stable/c/ (063f4336…, 367abcac…, 4435888e…, 5d634afb…, 62443dc2…, 726abf97…, cea435ea…). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Linux kernel versions 5.15-7.1 stable and assess criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy