Skip to main content

Linux Kernel CVE-2026-53211

| EUVDEUVD-2026-39302 MEDIUM
Memory Leak (CWE-401)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vccq-h5j4-92qr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
3.3 LOW

Local low-privilege attacker leaks 2 uninitialized stack bytes via a register read; no integrity or availability impact is described or plausible from the mechanism.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 02, 2026 - 23:18 vuln.today
CVSS changed
Jul 02, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register

NFT_META_BRI_IIFHWADDR declares its destination register with len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and leaving the upper 2 bytes of the second register as uninitialised nft_do_chain() stack. A downstream load of that register span leaks those stale bytes to userspace.

Zero the second register before the memcpy so the full declared span is written.

AnalysisAI

Kernel stack information disclosure in the Linux kernel's netfilter nft_meta_bridge subsystem leaks 2 bytes of uninitialized stack data to userspace via the IIFHWADDR register. A local attacker with CAP_NET_ADMIN privileges can craft an nftables bridge rule that reads the full 8-byte register span after a memcpy writes only 6 bytes, exposing stale nft_do_chain() stack content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access with CAP_NET_ADMIN
Delivery
Confirm or load nft_meta_bridge module
Exploit
Create nftables bridge rule using IIFHWADDR meta attribute
Execution
Send or await bridged packet to trigger rule evaluation
Persist
nft_meta_bridge_get_eval() memcpy writes 6 bytes, 2 stack bytes remain uninitialised
Impact
Downstream register read returns 2 stale kernel stack bytes to userspace

Vulnerability AssessmentAI

Exploitation Requires local system access with CAP_NET_ADMIN capability or equivalent privilege within a Linux user namespace. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5) contains a significant internal inconsistency: the described impact is 2 bytes of kernel stack leaking to userspace - a confidentiality concern - yet the vector assigns C:N (no confidentiality impact) and A:H (high availability). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with CAP_NET_ADMIN capability - or operating within a Linux user namespace that grants equivalent rights - loads nftables bridge rules referencing the IIFHWADDR meta attribute and a downstream register-read expression spanning the full 8-byte register width. When bridged packets trigger rule evaluation, nft_meta_bridge_get_eval() copies 6 bytes of MAC address and leaves 2 bytes of stale nft_do_chain() stack content readable via the downstream expression. …
Remediation Upgrade to Linux kernel 6.18.36 (stable) or 7.0.13 (stable); the 7.1-rc series fix targets the 7.1 stable release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy