Skip to main content

Linux Kernel CVE-2026-53218

| EUVDEUVD-2026-39309 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3j78-pf43-6mvq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only vector confirmed by nftables configuration requirement; PR:L reflects CAP_NET_ADMIN needed; no confidentiality or integrity impact - kernel crash only.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 02, 2026 - 21:08 vuln.today
CVSS changed
Jul 02, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_exthdr: fix register tracking for F_PRESENT flag

nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many bytes in the register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT is set, the eval paths write only 1 byte (nft_reg_store8) or 4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4, registers beyond the first are never written, retaining uninitialized stack data from nft_regs.

Bail out if userspace requests too much data when F_PRESENT is set.

AnalysisAI

Register tracking corruption in the Linux kernel's netfilter nft_exthdr subsystem allows a local low-privileged attacker with nftables configuration rights to trigger reads of uninitialized stack data from nft_regs, resulting in kernel instability or denial of service. The flaw affects any kernel version since the introduction of commit c078ca3b0c5b through the respective unpatched stable branches. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain CAP_NET_ADMIN on target system
Delivery
Craft nftables ruleset with exthdr expression (F_PRESENT flag, len > 4)
Exploit
Load malformed rule via nft API
Execution
Trigger packet evaluation against crafted rule
Persist
Uninitialized nft_regs stack data consumed by downstream expressions
Impact
Kernel instability or panic causing denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the target system and possession of the CAP_NET_ADMIN capability (or equivalent privilege to configure nftables rules via the nft or iptables-nft toolchain). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5 Medium) accurately frames this as a local, low-privilege denial-of-service requiring no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with CAP_NET_ADMIN rights - for example, a container process with user namespace privileges - uses nft to load an nftables ruleset containing an exthdr expression with NFT_EXTHDR_F_PRESENT set and a len value greater than 4. When the kernel evaluates network packets against this rule, nft_regs registers beyond the first are read as initialized but contain uninitialized stack data, potentially corrupting downstream filter logic and causing kernel instability or a panic, resulting in a system-wide denial of service. …
Remediation Upgrade to one of the vendor-released patched kernel stable branches: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53218 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy